diff --git a/.buildkite/ftr_configs.yml b/.buildkite/ftr_configs.yml index 4a59641e29af2..3d6e985018dee 100644 --- a/.buildkite/ftr_configs.yml +++ b/.buildkite/ftr_configs.yml @@ -39,7 +39,8 @@ disabled: # Elastic Synthetics configs - x-pack/plugins/synthetics/e2e/config.ts - - x-pack/plugins/synthetics/e2e/playwright_run.ts + - x-pack/plugins/synthetics/e2e/synthetics_run.ts + - x-pack/plugins/ux/e2e/synthetics_run.ts # Configs that exist but weren't running in CI when this file was introduced - test/visual_regression/config.ts @@ -145,6 +146,7 @@ enabled: - x-pack/test/functional/apps/cross_cluster_replication/config.ts - x-pack/test/functional/apps/dashboard/group1/config.ts - x-pack/test/functional/apps/dashboard/group2/config.ts + - x-pack/test/functional/apps/dashboard/group3/config.ts - x-pack/test/functional/apps/data_views/config.ts - x-pack/test/functional/apps/dev_tools/config.ts - x-pack/test/functional/apps/discover/config.ts @@ -188,6 +190,7 @@ enabled: - x-pack/test/functional/config_security_basic.ts - x-pack/test/functional/config.ccs.ts - x-pack/test/functional/config.firefox.js + - x-pack/test/kubernetes_security/basic/config.ts - x-pack/test/licensing_plugin/config.public.ts - x-pack/test/licensing_plugin/config.ts - x-pack/test/lists_api_integration/security_and_spaces/config.ts @@ -234,6 +237,7 @@ enabled: - x-pack/test/security_functional/saml.config.ts - x-pack/test/security_solution_endpoint_api_int/config.ts - x-pack/test/security_solution_endpoint/config.ts + - x-pack/test/session_view/basic/config.ts - x-pack/test/spaces_api_integration/security_and_spaces/config_basic.ts - x-pack/test/spaces_api_integration/security_and_spaces/config_trial.ts - x-pack/test/spaces_api_integration/spaces_only/config.ts diff --git a/.buildkite/package-lock.json b/.buildkite/package-lock.json index 86a594324c0f4..2af4d143fde07 100644 --- a/.buildkite/package-lock.json +++ b/.buildkite/package-lock.json @@ -8,7 +8,7 @@ "name": "kibana-buildkite", "version": "1.0.0", "dependencies": { - "kibana-buildkite-library": "git+https://git@github.com/elastic/kibana-buildkite-library#4ecaba35293fb635cf92ca205ee84fca52f19e2e" + "kibana-buildkite-library": "git+https://git@github.com/elastic/kibana-buildkite-library#6a73a417decc52f309ede3644577c9dca7b411a2" } }, "node_modules/@nodelib/fs.scandir": { @@ -368,8 +368,8 @@ }, "node_modules/kibana-buildkite-library": { "version": "1.0.0", - "resolved": "git+https://git@github.com/elastic/kibana-buildkite-library.git#4ecaba35293fb635cf92ca205ee84fca52f19e2e", - "integrity": "sha512-AjX3YyovsyYQ7MBoXQcHdyuFbnYZIChxr+gGApTFVNvJx4z9FeuKxQLKfDuONlZpNliHHgaenmf5APU/ZUqxVA==", + "resolved": "git+https://git@github.com/elastic/kibana-buildkite-library.git#6a73a417decc52f309ede3644577c9dca7b411a2", + "integrity": "sha512-SMW4Eoc/Tkg2lW63iB34obeiqCMhW4a7n3wWa7Ps63eI7+74QlIJha6K5Fa4fO/08ABZ6nEqsWeAOYAFnVLF7g==", "license": "MIT", "dependencies": { "@octokit/rest": "^18.10.0", @@ -839,9 +839,9 @@ } }, "kibana-buildkite-library": { - "version": "git+https://git@github.com/elastic/kibana-buildkite-library.git#4ecaba35293fb635cf92ca205ee84fca52f19e2e", - "integrity": "sha512-AjX3YyovsyYQ7MBoXQcHdyuFbnYZIChxr+gGApTFVNvJx4z9FeuKxQLKfDuONlZpNliHHgaenmf5APU/ZUqxVA==", - "from": "kibana-buildkite-library@git+https://git@github.com/elastic/kibana-buildkite-library#4ecaba35293fb635cf92ca205ee84fca52f19e2e", + "version": "git+https://git@github.com/elastic/kibana-buildkite-library.git#6a73a417decc52f309ede3644577c9dca7b411a2", + "integrity": "sha512-SMW4Eoc/Tkg2lW63iB34obeiqCMhW4a7n3wWa7Ps63eI7+74QlIJha6K5Fa4fO/08ABZ6nEqsWeAOYAFnVLF7g==", + "from": "kibana-buildkite-library@git+https://git@github.com/elastic/kibana-buildkite-library#6a73a417decc52f309ede3644577c9dca7b411a2", "requires": { "@octokit/rest": "^18.10.0", "axios": "^0.21.4", diff --git a/.buildkite/package.json b/.buildkite/package.json index 6e70ff45e8ce7..d22b079c1ab44 100644 --- a/.buildkite/package.json +++ b/.buildkite/package.json @@ -3,6 +3,6 @@ "version": "1.0.0", "private": true, "dependencies": { - "kibana-buildkite-library": "git+https://git@github.com/elastic/kibana-buildkite-library#4ecaba35293fb635cf92ca205ee84fca52f19e2e" + "kibana-buildkite-library": "git+https://git@github.com/elastic/kibana-buildkite-library#6a73a417decc52f309ede3644577c9dca7b411a2" } } diff --git a/.buildkite/pipelines/es_snapshots/promote.yml b/.buildkite/pipelines/es_snapshots/promote.yml index 8268643e4179c..f2f7b423c94c2 100644 --- a/.buildkite/pipelines/es_snapshots/promote.yml +++ b/.buildkite/pipelines/es_snapshots/promote.yml @@ -12,7 +12,3 @@ steps: command: .buildkite/scripts/steps/es_snapshots/promote.sh agents: queue: kibana-default - - wait - - trigger: kibana-agent-packer-cache - async: true - branches: main diff --git a/.buildkite/pipelines/pull_request/synthetics_plugin.yml b/.buildkite/pipelines/pull_request/synthetics_plugin.yml new file mode 100644 index 0000000000000..d9f0a843aa216 --- /dev/null +++ b/.buildkite/pipelines/pull_request/synthetics_plugin.yml @@ -0,0 +1,11 @@ +steps: + - command: .buildkite/scripts/steps/functional/synthetics_plugin.sh + label: 'Synthetics @elastic/synthetics Tests' + agents: + queue: ci-group-6 + depends_on: build + timeout_in_minutes: 120 + retry: + automatic: + - exit_status: '*' + limit: 1 diff --git a/.buildkite/pipelines/pull_request/uptime.yml b/.buildkite/pipelines/pull_request/ux_plugin_e2e.yml similarity index 58% rename from .buildkite/pipelines/pull_request/uptime.yml rename to .buildkite/pipelines/pull_request/ux_plugin_e2e.yml index 60fdea1add04c..e0200b2c95c64 100644 --- a/.buildkite/pipelines/pull_request/uptime.yml +++ b/.buildkite/pipelines/pull_request/ux_plugin_e2e.yml @@ -1,6 +1,6 @@ steps: - - command: .buildkite/scripts/steps/functional/uptime.sh - label: 'Uptime @elastic/synthetics Tests' + - command: .buildkite/scripts/steps/functional/ux_synthetics_e2e.sh + label: 'UX Plugin @elastic/synthetics Tests' agents: queue: ci-group-6 depends_on: build diff --git a/.buildkite/scripts/pipelines/pull_request/pipeline.js b/.buildkite/scripts/pipelines/pull_request/pipeline.js index c9f42dae1a776..a3916900360a4 100644 --- a/.buildkite/scripts/pipelines/pull_request/pipeline.js +++ b/.buildkite/scripts/pipelines/pull_request/pipeline.js @@ -104,8 +104,12 @@ const uploadPipeline = (pipelineContent) => { pipeline.push(getPipeline('.buildkite/pipelines/pull_request/osquery_cypress.yml')); } - if (await doAnyChangesMatch([/^x-pack\/plugins\/uptime/])) { - pipeline.push(getPipeline('.buildkite/pipelines/pull_request/uptime.yml')); + if (await doAnyChangesMatch([/^x-pack\/plugins\/synthetics/])) { + pipeline.push(getPipeline('.buildkite/pipelines/pull_request/synthetics_plugin.yml')); + } + + if (await doAnyChangesMatch([/^x-pack\/plugins\/ux/])) { + pipeline.push(getPipeline('.buildkite/pipelines/pull_request/ux_plugin_e2e.yml')); } if (process.env.GITHUB_PR_LABELS.includes('ci:deploy-cloud')) { diff --git a/.buildkite/scripts/steps/es_snapshots/promote.sh b/.buildkite/scripts/steps/es_snapshots/promote.sh index 20f79d1a4e2e4..cce46f8ac9b58 100755 --- a/.buildkite/scripts/steps/es_snapshots/promote.sh +++ b/.buildkite/scripts/steps/es_snapshots/promote.sh @@ -2,6 +2,7 @@ set -euo pipefail +echo "--- Promote snapshot" export ES_SNAPSHOT_MANIFEST="${ES_SNAPSHOT_MANIFEST:-"$(buildkite-agent meta-data get ES_SNAPSHOT_MANIFEST)"}" cat << EOF | buildkite-agent annotate --style "info" @@ -11,3 +12,8 @@ cat << EOF | buildkite-agent annotate --style "info" EOF node "$(dirname "${0}")/promote_manifest.js" "$ES_SNAPSHOT_MANIFEST" + +if [[ "$BUILDKITE_BRANCH" == "main" ]]; then + echo "--- Trigger agent packer cache pipeline" + node .buildkite/scripts/steps/trigger_packer_cache.js +fi diff --git a/.buildkite/scripts/steps/functional/uptime.sh b/.buildkite/scripts/steps/functional/synthetics_plugin.sh similarity index 66% rename from .buildkite/scripts/steps/functional/uptime.sh rename to .buildkite/scripts/steps/functional/synthetics_plugin.sh index 49b850801a75e..0cd9082b8f228 100755 --- a/.buildkite/scripts/steps/functional/uptime.sh +++ b/.buildkite/scripts/steps/functional/synthetics_plugin.sh @@ -7,11 +7,11 @@ source .buildkite/scripts/common/util.sh .buildkite/scripts/bootstrap.sh .buildkite/scripts/download_build_artifacts.sh -export JOB=kibana-uptime-playwright +export JOB=kibana-synthetics-plugin -echo "--- synthetics @elastic/synthetics Tests" +echo "--- Synthetics plugin @elastic/synthetics Tests" cd "$XPACK_DIR" -checks-reporter-with-killswitch "synthetics plugin @elastic/synthetics Tests" \ +checks-reporter-with-killswitch "Synthetics plugin @elastic/synthetics Tests" \ node plugins/synthetics/scripts/e2e.js --kibana-install-dir "$KIBANA_BUILD_LOCATION" ${GREP:+--grep \"${GREP}\"} diff --git a/.buildkite/scripts/steps/functional/ux_synthetics_e2e.sh b/.buildkite/scripts/steps/functional/ux_synthetics_e2e.sh new file mode 100755 index 0000000000000..2ede2276a2c2d --- /dev/null +++ b/.buildkite/scripts/steps/functional/ux_synthetics_e2e.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash + +set -euo pipefail + +source .buildkite/scripts/common/util.sh + +.buildkite/scripts/bootstrap.sh +.buildkite/scripts/download_build_artifacts.sh + +export JOB=kibana-ux-plugin-synthetics + +echo "--- User Experience @elastic/synthetics Tests" + +cd "$XPACK_DIR" + +checks-reporter-with-killswitch "User Experience plugin @elastic/synthetics Tests" \ + node plugins/ux/scripts/e2e.js --kibana-install-dir "$KIBANA_BUILD_LOCATION" ${GREP:+--grep \"${GREP}\"} diff --git a/.buildkite/scripts/steps/trigger_packer_cache.js b/.buildkite/scripts/steps/trigger_packer_cache.js new file mode 100644 index 0000000000000..3689df318fceb --- /dev/null +++ b/.buildkite/scripts/steps/trigger_packer_cache.js @@ -0,0 +1,29 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +const { BuildkiteClient } = require('kibana-buildkite-library'); + +(async () => { + try { + const client = new BuildkiteClient(); + const build = await client.triggerBuild('kibana-agent-packer-cache', { + commit: 'HEAD', + branch: 'main', + ignore_pipeline_branch_filters: true, // Required because of a Buildkite bug + }); + console.log(`Triggered build: ${build.web_url}`); + process.exit(0); + } catch (ex) { + console.error('Buildkite API Error', ex.toString()); + if (ex.response) { + console.error('HTTP Error Response Status', ex.response.status); + console.error('HTTP Error Response Body', ex.response.data); + } + process.exit(1); + } +})(); diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 2bfa9572055b1..3cdd9a3c74ecd 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -141,6 +141,8 @@ /x-pack/test/functional/es_archives/uptime @elastic/uptime /x-pack/test/functional/services/uptime @elastic/uptime /x-pack/test/api_integration/apis/uptime @elastic/uptime +/x-pack/plugins/observability/public/components/shared/exploratory_view @elastic/uptime + # Client Side Monitoring / Uptime (lives in APM directories but owned by Uptime) /x-pack/plugins/apm/public/application/uxApp.tsx @elastic/uptime @@ -579,8 +581,10 @@ x-pack/plugins/security_solution/cypress/README.md @elastic/security-engineering x-pack/test/security_solution_cypress @elastic/security-engineering-productivity ## Security Solution sub teams - adaptive-workload-protection +x-pack/plugins/kubernetes_security @elastic/awp-platform x-pack/plugins/session_view @elastic/awp-platform x-pack/plugins/security_solution/public/common/components/sessions_viewer @elastic/awp-platform +x-pack/plugins/security_solution/public/kubernetes @elastic/awp-platform # Security Intelligence And Analytics /x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules @elastic/security-intelligence-analytics diff --git a/dev_docs/contributing/how_we_use_github.mdx b/dev_docs/contributing/how_we_use_github.mdx index a45cad425a0e5..8c76c48003c3c 100644 --- a/dev_docs/contributing/how_we_use_github.mdx +++ b/dev_docs/contributing/how_we_use_github.mdx @@ -131,7 +131,7 @@ would be useful to all teams, talk to your team or tech lead about getting it ad ### Team labels -Examples: `Team:Security`, `Team:Operations`. +Examples: `Team:Security`, `Team:Operations`, `Team:Docs`. These labels map the issue to the team that owns the particular area. Part of the responsibilities of (todo) is to ensure every issue has at least a team or a project @@ -178,3 +178,36 @@ it might mean the version the team is tentatively planning to merge a fix. Consult the owning team if you have a question about how a version label is meant to be used on an issue. + +### Issue type and workflow labels + +These labels categorize the type of work. For example: + +- `blocked`: Indicates the issue is currently blocked +- `blocker`: Indicates that we should not release the product at the next + proposed version without the issue being resolved +- `bug`: Indicates an unexpected problem or unintended behavior +- `discuss`: Indicates that an issue is a discussion topic +- `docs`/`documentation`: Indicates improvements or additions to documentation +- `enhancement`: Indicates new feature or enhancement requests +- `meta`: Indicates that the issue tracks tasks related to a project +- `needs_triage`: Indicates that someone from the area team needs to investigate. + +These labels affect whether your PR appears in the release notes (that is to say, +it's notable and affects our users) and which section it appears in. For example: + +- `release_note:breaking`: Specifies a breaking change and adds the PR to the Breaking changes section in the release notes +- `release_note:deprecation`: Specifies a deprecated feature and adds the PR to the Deprecations section in the release notes +- `release_note:enhancement`: Specifies a feature enhancement and adds the PR to the Enhancements section in the release notes +- `release_note:feature`: Specifies a new feature and adds the PR to the Features section in the release notes +- `release_note:fix`: Specifies a bug fix and adds the PR to the Bug fixes section in the release notes +- `release_node:plugin_api_changes`: Specifies a changes to the plugin API and adds the PR to the Plugin API changes page in the Developer Guide +- `release_note:skip`: Omits the PR from release notes + +These labels related to backporting PRs: + +- `auto-backport`: Automatically backport this PR (to the branches related to + version labels) after it's merged +- `backport`: This PR was backported +- `backport:skip`: This PR does not require backporting + diff --git a/dev_docs/operations/operations_landing.mdx b/dev_docs/operations/operations_landing.mdx index 40c3ae3560768..b9e68beb9637e 100644 --- a/dev_docs/operations/operations_landing.mdx +++ b/dev_docs/operations/operations_landing.mdx @@ -50,5 +50,7 @@ layout: landing { pageId: "kibDevDocsOpsAmbientUiTypes" }, { pageId: "kibDevDocsOpsTestSubjSelector" }, { pageId: "kibDevDocsOpsBazelRunner" }, + { pageId: "kibDevDocsOpsCliDevMode" }, + { pageId: "kibDevDocsOpsEs" }, ]} /> \ No newline at end of file diff --git a/docs/api/cases/cases-api-find-cases.asciidoc b/docs/api/cases/cases-api-find-cases.asciidoc index 92b23a4aafb8d..c643bc64cb982 100644 --- a/docs/api/cases/cases-api-find-cases.asciidoc +++ b/docs/api/cases/cases-api-find-cases.asciidoc @@ -111,94 +111,46 @@ The API returns a JSON object listing the retrieved cases. For example: { "page": 1, "per_page": 5, - "total": 2, + "total": 1, "cases": [ { "id": "abed3a70-71bd-11ea-a0b2-c51ea50a58e2", "version": "WzExMCwxXQ==", "comments": [], - "totalComment": 0, + "totalComment": 1, "totalAlerts": 0, - "title": "The Long Game", - "tags": [ - "windows", - "phishing" - ], - "description": "Windows 95", - "settings": { - "syncAlerts": true - }, + "title": "Case title", + "tags": [ "phishing" ], + "description": "Case description", + "settings": { "syncAlerts": true }, "owner": "securitySolution", "duration": null, "severity": "low", "closed_at": null, "closed_by": null, - "created_at": "2022-03-29T13:03:23.533Z", - "created_by": { - "email": "rhustler@email.com", - "full_name": "Rat Hustler", - "username": "rhustler" - }, - "status": "open", - "updated_at": null, - "updated_by": null, - "connector": { - "id": "131d4448-abe0-4789-939d-8ef60680b498", - "name": "My connector", - "type": ".jira", - "fields": { - "issueType": "10006", - "priority": null, - } - } - "external_service": null, - }, - { - "id": "a18b38a0-71b0-11ea-a0b2-c51ea50a58e2", - "version": "Wzk4LDFd", - "comments": [], - "totalComment": 0, - "totalAlerts": 0, - "title": "This case will self-destruct in 5 seconds", - "tags": [ - "phishing", - "social engineering", - "bubblegum" - ], - "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active. Repeat - operation bubblegum is now active!", - "settings": { - "syncAlerts": false - }, - "owner": "cases", - "duration": null, - "closed_at": null, - "closed_by": null, - "created_at": "2022-03-29T11:30:02.658Z", + "created_at": "2022-05-12T00:16:36.371Z", "created_by": { - "email": "ahunley@imf.usa.gov", - "full_name": "Alan Hunley", - "username": "ahunley" + "email": "jdoe@email.com", + "full_name": "Jane Doe", + "username": "jdoe" }, "status": "open", - "updated_at": "2022-03-29T12:01:50.244Z", + "updated_at": "2022-05-12T00:27:58.162Z", "updated_by": { - "full_name": "Classified", - "email": "classified@hms.oo.gov.uk", - "username": "M" + "email": "jsmith@email.com", + "full_name": "Joe Smith", + "username": "jsmith" }, "connector": { - "id": "131d4448-abe0-4789-939d-8ef60680b498", - "name": "My connector", - "type": ".resilient", - "fields": { - "issueTypes": [13], - "severityCode": 6, - } + "id": "none", + "name": "none", + "type": ".none", + "fields": null }, - "external_service": null, + "external_service": null } ], - "count_open_cases": 2, + "count_open_cases": 1, "count_in_progress_cases":0, "count_closed_cases": 0 } diff --git a/docs/api/cases/cases-api-get-cases-by-alert.asciidoc b/docs/api/cases/cases-api-get-cases-by-alert.asciidoc index 3bd2e8debb3cd..01aec7a7e4c77 100644 --- a/docs/api/cases/cases-api-get-cases-by-alert.asciidoc +++ b/docs/api/cases/cases-api-get-cases-by-alert.asciidoc @@ -61,12 +61,8 @@ For example: -------------------------------------------------- [ { - "id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6", - "title": "Case 1" - }, - { - "id": "a18b38a0-71b0-11ea-a0b2-c51ea50a58e2", - "title": "Case 2" + "id": "06116b80-e1c3-11ec-be9b-9b1838238ee6", + "title":"security_case" } ] -------------------------------------------------- \ No newline at end of file diff --git a/docs/api/cases/cases-api-get-configuration.asciidoc b/docs/api/cases/cases-api-get-configuration.asciidoc index 778e95949e3f5..46cb11dc63b03 100644 --- a/docs/api/cases/cases-api-get-configuration.asciidoc +++ b/docs/api/cases/cases-api-get-configuration.asciidoc @@ -44,7 +44,7 @@ read. [source,sh] -------------------------------------------------- -GET api/cases/configure?owner=securitySolution +GET api/cases/configure?owner=cases -------------------------------------------------- // KIBANA @@ -54,19 +54,19 @@ The API returns the following type of information: -------------------------------------------------- [ { - "owner": "securitySolution", "closure_type": "close-by-user", - "created_at": "2020-03-30T13:31:38.083Z", + "owner": "cases", + "created_at": "2022-06-01T17:07:17.767Z", "created_by": { - "email": "admin@hms.gov.uk", - "full_name": "Mr Admin", - "username": "admin" + "email": "null", + "full_name": "null", + "username": "elastic" }, "updated_at": null, "updated_by": null, "connector": { "id": "131d4448-abe0-4789-939d-8ef60680b498", - "name": "my-jira", + "name": "my-jira-connector", "type": ".jira", "fields": null }, diff --git a/docs/api/cases/cases-api-set-configuration.asciidoc b/docs/api/cases/cases-api-set-configuration.asciidoc index 6a7a7c26c66d2..89ec6f0600717 100644 --- a/docs/api/cases/cases-api-set-configuration.asciidoc +++ b/docs/api/cases/cases-api-set-configuration.asciidoc @@ -109,9 +109,9 @@ POST api/cases/configure { "owner": "cases", "connector": { - "id": "131d4448-abe0-4789-939d-8ef60680b498", - "name": "my-serviceNow", - "type": ".servicenow", + "id": "5e656730-e1ca-11ec-be9b-9b1838238ee6", + "name": "my-jira-connector", + "type": ".jira", "fields": null, }, "closure_type": "close-by-user" @@ -123,41 +123,41 @@ The API returns the following response: [source,json] -------------------------------------------------- { - "owner": "cases", "closure_type": "close-by-user", - "created_at": "2022-04-02T01:09:02.303Z", + "owner": "cases", + "created_at": "2022-06-01T17:07:17.767Z", "created_by": { - "email": "moneypenny@hms.gov.uk", - "full_name": "Ms Moneypenny", - "username": "moneypenny" + "username": "elastic", + "email": null, + "full_name": null }, "updated_at": null, "updated_by": null, "connector": { - "id": "131d4448-abe0-4789-939d-8ef60680b498", - "name": "my-serviceNow", - "type": ".servicenow", - "fields": null, + "id": "5e656730-e1ca-11ec-be9b-9b1838238ee6", + "name": "my-jira-connector", + "type": ".jira", + "fields": null }, "mappings": [ { - "source": "title", - "target": "short_description", + "source": "title", + "target": "summary", "action_type": "overwrite" }, { - "source":"description", - "target":"description", - "action_type":"overwrite" + "source": "description", + "target": "description", + "action_type": "overwrite" }, { - "source":"comments", - "target":"work_notes", - "action_type":"append" + "source": "comments", + "target": "comments", + "action_type": "append" } ], - "version": "WzE3NywxXQ==", + "version": "WzIwNzMsMV0=", "error": null, - "id": "7349772f-421a-4de3-b8bb-2d9b22ccee30", + "id": "4a97a440-e1cd-11ec-be9b-9b1838238ee6" } -------------------------------------------------- diff --git a/docs/api/cases/cases-api-update-configuration.asciidoc b/docs/api/cases/cases-api-update-configuration.asciidoc index cf7d2ea7d8cfd..c1dcb2a71e57c 100644 --- a/docs/api/cases/cases-api-update-configuration.asciidoc +++ b/docs/api/cases/cases-api-update-configuration.asciidoc @@ -101,19 +101,19 @@ The API returns the following: [source,json] -------------------------------------------------- { - "closure_type": "close-by-user", + "closure_type": "close-by-pushing", "owner": "cases", - "created_at": "2022-04-06T20:57:40.746Z", + "created_at": "2022-06-01T17:07:17.767Z", "created_by": { - "email": "admin@hms.gov.uk", - "full_name": "Ms Admin", - "username": "admin" + "email": "null", + "full_name": "null", + "username": "elastic" }, - "updated_at": "2022-04-12T22:41:09.262Z", + "updated_at": "2022-06-01T19:58:48.169Z", "updated_by": { - "email": "admin@hms.gov.uk", - "full_name": "Ms Admin", - "username": "admin" + "email": "null", + "full_name": "null", + "username": "elastic" }, "connector": { "id": "none", diff --git a/docs/api/data-views.asciidoc b/docs/api/data-views.asciidoc index d7380cbd97c99..cf9524d4fdf30 100644 --- a/docs/api/data-views.asciidoc +++ b/docs/api/data-views.asciidoc @@ -11,6 +11,7 @@ WARNING: Use the data views APIs for managing data views instead of lower-level The following data views APIs are available: * Data views + ** <> to retrieve a list of data views ** <> to retrieve a single data view ** <> to create data view ** <> to partially updated data view @@ -27,6 +28,7 @@ The following data views APIs are available: ** <> to partially update an existing runtime field ** <> to delete a runtime field +include::data-views/get-all.asciidoc[] include::data-views/get.asciidoc[] include::data-views/create.asciidoc[] include::data-views/update.asciidoc[] diff --git a/docs/api/data-views/get-all.asciidoc b/docs/api/data-views/get-all.asciidoc new file mode 100644 index 0000000000000..42727c38f6d98 --- /dev/null +++ b/docs/api/data-views/get-all.asciidoc @@ -0,0 +1,60 @@ +[[data-views-api-get-all]] +=== Get all data views API +++++ +Get all data views +++++ + +experimental[] Retrieve a list of all data views. + + +[[data-views-api-get-all-request]] +==== Request + +`GET :/api/data_views` + +`GET :/s//api/data_views` + + +[[data-views-api-get-all-codes]] +==== Response code + +`200`:: +Indicates a successful call. + + +[[data-views-api-get-all-example]] +==== Example + +Retrieve the list of data views: + +[source,sh] +-------------------------------------------------- +$ curl -X GET api/data_views +-------------------------------------------------- +// KIBANA + +The API returns a list of data views: + +[source,sh] +-------------------------------------------------- +{ + "data_view": [ + { + "id": "e9e024f0-d098-11ec-bbe9-c753adcb34bc", + "namespaces": [ + "default" + ], + "title": "tmp*", + "type": "rollup", + "typeMeta": {} + }, + { + "id": "90943e30-9a47-11e8-b64d-95841ca0b247", + "namespaces": [ + "default" + ], + "title": "kibana_sample_data_logs" + } + ] +} +-------------------------------------------------- diff --git a/docs/apm/apm-spaces.asciidoc b/docs/apm/apm-spaces.asciidoc new file mode 100644 index 0000000000000..c43a512768fad --- /dev/null +++ b/docs/apm/apm-spaces.asciidoc @@ -0,0 +1,415 @@ +[role="xpack"] +[[apm-spaces]] +=== Control access to APM data + +Starting in version 8.2.0, the APM app is <> aware. +This allows you to separate your data--and access to that data--by team, use case, service environment, +or any other filter that you choose. + +To take advantage of this feature, your APM data needs to be written to different data steams. +One way to accomplish this is with different namespaces. +For example, you can send production data to an APM integration with a namespace of `production`, +while sending staging data to a different APM integration with a namespace of `staging`. + +Multiple APM integration instances is not required though. The simplest way to take advantage of this feature +is by creating filtered aliases. See the guide below for more information. + +[float] +[[apm-spaces-example]] +=== Guide: Separate staging and production data + +This guide will explain how to separate your staging and production data. +This can be helpful to either remove noise when troubleshooting a production issue, +or to create more granular access control for certain data. + +This guide assumes that you: + +* Are sending both staging and production APM data to an {es} cluster. +* Have configured the `environment` variable in your APM agent configurations. +This variable sets the `service.environment` field in APM documents. +You should have documents where `service.environment: production` and `service.environment: staging`. +If this field is empty, see <> to learn how to set this value. + +[float] +==== Step 1: Create filtered aliases + +The APM app uses index patterns to query your APM data. An index pattern can match data streams, indices, and/or aliases. +The default values are: + +[options="header"] +|==== +| Index setting | Default index pattern +| Error | `logs-apm*` +| Span/Transaction | `traces-apm*` +| Metrics | `metrics-apm*` +|==== + +NOTE: The default index settings also query the `apm-*` data view. +This data view matches APM data shipped in earlier versions of APM (prior to v8.0). + +Instead of querying the default APM data views, we can create filtered aliases for the APM app to query. +A filtered alias is a secondary name for a group of data streams that has a user-defined +filter to limit the documents that the alias can access. + +To separate `staging` and `production` APM data, we'd need to create six filtered aliases--three +aliases for each service environment: + +[options="header"] +|==== +| Index setting | `production` env | `staging` evn +| Error | `production-logs-apm` | `staging-logs-apm` +| Span/Transaction | `production-traces-apm` | `staging-traces-apm` +| Metrics | `production-metrics-apm` | `staging-metrics-apm` +|==== + +The `production--apm` aliases will contain a filter that only provides access to documents +where the `service.environment` is `production`. +Similarly, the `staging--apm` aliases will contain a filter that only provides access to documents +where the `service.environment` is `staging`. + +To create these six filtered aliases, use the {es} {ref}/indices-aliases.html[Aliases API]. +In {kib}, open **Dev Tools** and run the following POST requests. + +[%collapsible%open] +.`traces-apm*` production alias example +==== +[source, console] +---- +POST /_aliases?pretty +{ + "actions": [ + { + "add": { + "index": "traces-apm*", <1> + "alias": "production-traces-apm", <2> + "filter": { + "term": { + "service.environment": { + "value": "production" <3> + } + } + } + } + } + ] +} +---- +<1> This example matches the APM traces data stream +<2> The alias must not match the default APM index (`traces-apm*,apm-*`) +<3> Only match documents where `service.environment: production` +==== + +[%collapsible] +.`logs-apm*` production alias example +==== +[source, console] +---- +POST /_aliases?pretty +{ + "actions": [ + { + "add": { + "index": "logs-apm*", <1> + "alias": "production-logs-apm", <2> + "filter": { + "term": { + "service.environment": { + "value": "production" <3> + } + } + } + } + } + ] +} +---- +<1> This example matches the APM logs data stream +<2> The alias must not match the default APM index (`logs-apm*,apm-*`) +<3> Only match documents where `service.environment: production` +==== + +[%collapsible] +.`metrics-apm*` production alias example +==== +[source, console] +---- +POST /_aliases?pretty +{ + "actions": [ + { + "add": { + "index": "metrics-apm*", <1> + "alias": "production-metrics-apm", <2> + "filter": { + "term": { + "service.environment": { + "value": "production" <3> + } + } + } + } + } + ] +} +---- +<1> This example matches the APM metrics data stream +<2> The alias must not match the default APM index (`metrics-apm*,apm-*`) +<3> Only match documents where `service.environment: production` +==== + +[%collapsible] +.`traces-apm*` staging alias example +==== +[source, console] +---- +POST /_aliases?pretty +{ + "actions": [ + { + "add": { + "index": "traces-apm*", <1> + "alias": "staging-traces-apm", <2> + "filter": { + "term": { + "service.environment": { + "value": "staging" <3> + } + } + } + } + } + ] +} +---- +<1> This example matches the APM traces data stream +<2> The alias must not match the default APM index (`traces-apm*,apm-*`) +<3> Only match documents where `service.environment: staging` +==== + +[%collapsible] +.`logs-apm*` staging alias example +==== +[source, console] +---- +POST /_aliases?pretty +{ + "actions": [ + { + "add": { + "index": "logs-apm*", <1> + "alias": "staging-logs-apm", <2> + "filter": { + "term": { + "service.environment": { + "value": "staging" <3> + } + } + } + } + } + ] +} +---- +<1> This example matches the APM logs data stream +<2> The alias must not match the default APM index (`logs-apm*,apm-*`) +<3> Only match documents where `service.environment: staging` +==== + +[%collapsible] +.`metrics-apm*` staging alias example +==== +[source, console] +---- +POST /_aliases?pretty +{ + "actions": [ + { + "add": { + "index": "metrics-apm*", <1> + "alias": "staging-metrics-apm", <2> + "filter": { + "term": { + "service.environment": { + "value": "staging" <3> + } + } + } + } + } + ] +} +---- +<1> This example matches the APM metrics data stream +<2> The alias must not match the default APM index (`metrics-apm*,apm-*`) +<3> Only match documents where `service.environment: staging` +==== + +[float] +==== Step 2: Create {kib} spaces + +Next, you'll need to create a {Kib} space for each service environment. +To create these spaces, navigate to **Stack Management** > **Spaces** > **Create a space**. +For this guide, we've created two Kibana spaces, one named `production` and one named `staging`. + +See <> for more information on creating a space. + +[float] +==== Step 3: Update APM index settings in each space + +Now we can change the default data views that the APM app queries in each space. + +Open the APM app and navigate to **Settings** > **Indices**. +Use the table below to update your settings for each space. +The values in each column match the names of the filtered aliases we created in step one. + +[options="header"] +|==== +| Index setting | `production` space | `staging` space +| Error indices | `production-logs-apm` | `staging-logs-apm` +| Span indices | `production-traces-apm` | `staging-traces-apm` +| Transaction indices | `production-traces-apm` | `staging-traces-apm` +| Metrics indices | `production-metrics-apm` | `staging-metrics-apm` +|==== + +[role="screenshot"] +image::settings/images/apm-settings.png[APM app settings in Kibana] + +[float] +==== Step 4: Create {kib} access roles + +In {kib}, navigate to **Stack Management** > **Roles** and click **Create role**. + +You'll need to create two roles: one for `staging` users (we'll call this role `staging_apm_viewer`) +and one for `production` users (we'll call this role `production_apm_viewer`). + +Using the table below, assign each role the following privileges: + +[options="header"] +|==== +| Privileges | `production_apm_viewer` | `staging_apm_viewer` +| Index privileges | index: `production-*-apm`, privilege: `read` | index: `staging-*-apm`, privilege: `read` +| Kibana privileges | space: `production`, feature privileges: `APM and User Experience: read` | space: `staging`, feature privileges: `APM and User Experience: read` +|==== + +[role="screenshot"] +image::./images/apm-roles-config.png[APM role config example] + +Alternatively, you can use the +{es} {ref}/security-api-put-role.html[Create or update roles API]: + +[%collapsible%open] +.Create a `production_apm_viewer` role +==== +This request creates a `production_apm_viewer` role: + +[source, console] +---- +POST /_security/role/production_apm_viewer +{ + "cluster": [ ], + "indices": [ + { + "names": ["production-*-apm"], <1> + "privileges": ["read"] + } + ], + "applications": [ + { + "application" : "kibana-.kibana", + "privileges" : [ + "feature_apm.read" <2> + ], + "resources" : [ + "space:production" <3> + ] + } + ] +} +---- +<1> This data view matches all of the production aliases created in step one. +<2> Assigns `read` privileges for the APM and User Experience apps. +<3> Provides access to the space named `production`. +==== + +[%collapsible] +.Create a `staging_apm_viewer` role +==== +This request creates a `staging_apm_viewer` role: + +[source, console] +---- +POST /_security/role/staging_apm_viewer +{ + "cluster": [ ], + "indices": [ + { + "names": ["staging-*-apm"], <1> + "privileges": ["read"] + } + ], + "applications": [ + { + "application" : "kibana-.kibana", + "privileges" : [ + "feature_apm.read" <2> + ], + "resources" : [ + "space:staging" <3> + ] + } + ] +} +---- +<1> This data view matches all of the staging aliases created in step one. +<2> Assigns `read` privileges for the APM and User Experience apps. +<3> Provides access to the space named `staging`. +==== + +[float] +==== Step 5: Assign users to roles + +The last thing to do is assign users to the newly created roles above. +Users will only have access to the data within the spaces that they are granted. + +For information on how to create users and assign them roles with the {kib} UI, +see <>. + +Alternatively, you can use the +{es} {ref}/security-api-put-user.html[Create or update users API]. + +This example creates a new user and assigns them the `production_apm_viewer` role created in the previous step. +This user will only have access to the production space and data with a `service.environment` of `production`. +Remember to change the `password`, `full_name`, and `email` fields. + +[source, console] +---- +POST /_security/user/production-apm-user +{ + "password" : "l0ng-r4nd0m-p@ssw0rd", + "roles" : [ "production_apm_viewer" ], <1> + "full_name" : "Jane Production Smith", + "email" : "janesmith@example.com" +} +---- +<1> Assigns the previously created `production_apm_viewer` role. + +This example creates a new user and assigns them the `staging_apm_viewer` role created in the previous step. +This user will only have access to the staging space and data with a `service.environment` of `staging`. +Remember to change the `password`, `full_name`, and `email` fields. + +[source, console] +---- +POST /_security/user/staging-apm-user +{ + "password" : "l0ng-r4nd0m-p@ssw0rd", + "roles" : [ "staging_apm_viewer" ], <1> + "full_name" : "John Staging Doe", + "email" : "johndoe@example.com" +} +---- +<1> Assigns the previously created `staging_apm_viewer` role. + +[float] +==== Step 6: Marvel + +That's it! Head back to the APM app and marvel at your space-specific data. diff --git a/docs/apm/how-to-guides.asciidoc b/docs/apm/how-to-guides.asciidoc index b4e49a69d5a7e..b634c937588b0 100644 --- a/docs/apm/how-to-guides.asciidoc +++ b/docs/apm/how-to-guides.asciidoc @@ -6,6 +6,7 @@ Learn how to perform common APM app tasks. * <> +* <> * <> * <> * <> @@ -17,6 +18,8 @@ Learn how to perform common APM app tasks. include::agent-configuration.asciidoc[] +include::apm-spaces.asciidoc[] + include::apm-alerts.asciidoc[] include::custom-links.asciidoc[] diff --git a/docs/apm/images/apm-integration-config.png b/docs/apm/images/apm-integration-config.png new file mode 100644 index 0000000000000..7ff5cb5e9d0ba Binary files /dev/null and b/docs/apm/images/apm-integration-config.png differ diff --git a/docs/apm/images/apm-roles-config.png b/docs/apm/images/apm-roles-config.png new file mode 100644 index 0000000000000..ebd992abe9303 Binary files /dev/null and b/docs/apm/images/apm-roles-config.png differ diff --git a/docs/apm/images/apm-settings.png b/docs/apm/images/apm-settings.png index 2201ed5fcaa72..2c8ebace287b8 100644 Binary files a/docs/apm/images/apm-settings.png and b/docs/apm/images/apm-settings.png differ diff --git a/docs/developer/plugin-list.asciidoc b/docs/developer/plugin-list.asciidoc index 0d2d69123b5f3..837e8845ec542 100644 --- a/docs/developer/plugin-list.asciidoc +++ b/docs/developer/plugin-list.asciidoc @@ -495,6 +495,10 @@ the infrastructure monitoring use-case within Kibana. |The ingest_pipelines plugin provides Kibana support for Elasticsearch's ingest pipelines. +|{kib-repo}blob/{branch}/x-pack/plugins/kubernetes_security/README.md[kubernetesSecurity] +|(under construction) + + |{kib-repo}blob/{branch}/x-pack/plugins/lens/readme.md[lens] |Visualization editor allowing to quickly and easily configure compelling visualizations to use on dashboards and canvas workpads. diff --git a/docs/development/core/public/kibana-plugin-core-public.chromehelpmenuactions.hidehelpmenu.md b/docs/development/core/public/kibana-plugin-core-public.chromehelpmenuactions.hidehelpmenu.md index 9bd8b107b2a0a..bcd67a8fe6f21 100644 --- a/docs/development/core/public/kibana-plugin-core-public.chromehelpmenuactions.hidehelpmenu.md +++ b/docs/development/core/public/kibana-plugin-core-public.chromehelpmenuactions.hidehelpmenu.md @@ -4,8 +4,6 @@ ## ChromeHelpMenuActions.hideHelpMenu property -The action provides the capability to hide the help menu from within the help extension content components. - Signature: ```typescript diff --git a/docs/development/core/public/kibana-plugin-core-public.chromehelpmenuactions.md b/docs/development/core/public/kibana-plugin-core-public.chromehelpmenuactions.md index 3cf33deb3db15..f33581cda5879 100644 --- a/docs/development/core/public/kibana-plugin-core-public.chromehelpmenuactions.md +++ b/docs/development/core/public/kibana-plugin-core-public.chromehelpmenuactions.md @@ -4,6 +4,7 @@ ## ChromeHelpMenuActions interface + Signature: ```typescript @@ -15,3 +16,4 @@ export interface ChromeHelpMenuActions | Property | Type | Description | | --- | --- | --- | | [hideHelpMenu](./kibana-plugin-core-public.chromehelpmenuactions.hidehelpmenu.md) | () => void | | + diff --git a/docs/development/core/public/kibana-plugin-core-public.coresetup.injectedmetadata.md b/docs/development/core/public/kibana-plugin-core-public.coresetup.injectedmetadata.md index b416670a17210..661702f2d466e 100644 --- a/docs/development/core/public/kibana-plugin-core-public.coresetup.injectedmetadata.md +++ b/docs/development/core/public/kibana-plugin-core-public.coresetup.injectedmetadata.md @@ -4,17 +4,9 @@ ## CoreSetup.injectedMetadata property -> Warning: This API is now obsolete. -> -> 8.8.0 -> - -exposed temporarily until https://github.com/elastic/kibana/issues/41990 done use \*only\* to retrieve config values. There is no way to set injected values in the new platform. Signature: ```typescript -injectedMetadata: { - getInjectedVar: (name: string, defaultValue?: any) => unknown; - }; +injectedMetadata: InjectedMetadataSetup; ``` diff --git a/docs/development/core/public/kibana-plugin-core-public.coresetup.md b/docs/development/core/public/kibana-plugin-core-public.coresetup.md index 0298ac904f952..d83fe780a5a6f 100644 --- a/docs/development/core/public/kibana-plugin-core-public.coresetup.md +++ b/docs/development/core/public/kibana-plugin-core-public.coresetup.md @@ -22,7 +22,7 @@ export interface CoreSetup Warning: This API is now obsolete. -> -> 8.8.0 -> - -exposed temporarily until https://github.com/elastic/kibana/issues/41990 done use \*only\* to retrieve config values. There is no way to set injected values in the new platform. Signature: ```typescript -injectedMetadata: { - getInjectedVar: (name: string, defaultValue?: any) => unknown; - }; +injectedMetadata: InjectedMetadataStart; ``` diff --git a/docs/development/core/public/kibana-plugin-core-public.corestart.md b/docs/development/core/public/kibana-plugin-core-public.corestart.md index 34576c4df2e40..19d4c7115417e 100644 --- a/docs/development/core/public/kibana-plugin-core-public.corestart.md +++ b/docs/development/core/public/kibana-plugin-core-public.corestart.md @@ -25,7 +25,7 @@ export interface CoreStart | [fatalErrors](./kibana-plugin-core-public.corestart.fatalerrors.md) | FatalErrorsStart | [FatalErrorsStart](./kibana-plugin-core-public.fatalerrorsstart.md) | | [http](./kibana-plugin-core-public.corestart.http.md) | HttpStart | [HttpStart](./kibana-plugin-core-public.httpstart.md) | | [i18n](./kibana-plugin-core-public.corestart.i18n.md) | I18nStart | [I18nStart](./kibana-plugin-core-public.i18nstart.md) | -| [injectedMetadata](./kibana-plugin-core-public.corestart.injectedmetadata.md) | { getInjectedVar: (name: string, defaultValue?: any) => unknown; } | exposed temporarily until https://github.com/elastic/kibana/issues/41990 done use \*only\* to retrieve config values. There is no way to set injected values in the new platform. | +| [injectedMetadata](./kibana-plugin-core-public.corestart.injectedmetadata.md) | InjectedMetadataStart | | | [notifications](./kibana-plugin-core-public.corestart.notifications.md) | NotificationsStart | [NotificationsStart](./kibana-plugin-core-public.notificationsstart.md) | | [overlays](./kibana-plugin-core-public.corestart.overlays.md) | OverlayStart | [OverlayStart](./kibana-plugin-core-public.overlaystart.md) | | [savedObjects](./kibana-plugin-core-public.corestart.savedobjects.md) | SavedObjectsStart | [SavedObjectsStart](./kibana-plugin-core-public.savedobjectsstart.md) | diff --git a/docs/development/core/public/kibana-plugin-core-public.md b/docs/development/core/public/kibana-plugin-core-public.md index 033faf01bc702..4c5cd8378af60 100644 --- a/docs/development/core/public/kibana-plugin-core-public.md +++ b/docs/development/core/public/kibana-plugin-core-public.md @@ -46,7 +46,7 @@ The plugin integrates with the core system via lifecycle events: `setup` | [ChromeHelpExtensionMenuDiscussLink](./kibana-plugin-core-public.chromehelpextensionmenudiscusslink.md) | | | [ChromeHelpExtensionMenuDocumentationLink](./kibana-plugin-core-public.chromehelpextensionmenudocumentationlink.md) | | | [ChromeHelpExtensionMenuGitHubLink](./kibana-plugin-core-public.chromehelpextensionmenugithublink.md) | | -| [ChromeHelpMenuActions](./kibana-plugin-core-public.chromehelpmenuactions.md) | List of actions in order to manipulate with the help menu from the help extensions content components. | +| [ChromeHelpMenuActions](./kibana-plugin-core-public.chromehelpmenuactions.md) | | | [ChromeNavControl](./kibana-plugin-core-public.chromenavcontrol.md) | | | [ChromeNavControls](./kibana-plugin-core-public.chromenavcontrols.md) | [APIs](./kibana-plugin-core-public.chromenavcontrols.md) for registering new controls to be displayed in the navigation bar. | | [ChromeNavLink](./kibana-plugin-core-public.chromenavlink.md) | | @@ -172,7 +172,6 @@ The plugin integrates with the core system via lifecycle events: `setup` | [MountPoint](./kibana-plugin-core-public.mountpoint.md) | A function that should mount DOM content inside the provided container element and return a handler to unmount it. | | [NavType](./kibana-plugin-core-public.navtype.md) | | | [PluginInitializer](./kibana-plugin-core-public.plugininitializer.md) | The plugin export at the root of a plugin's public directory should conform to this interface. | -| [PluginOpaqueId](./kibana-plugin-core-public.pluginopaqueid.md) | | | [PublicAppDeepLinkInfo](./kibana-plugin-core-public.publicappdeeplinkinfo.md) | Public information about a registered app's [deepLinks](./kibana-plugin-core-public.appdeeplink.md) | | [PublicAppInfo](./kibana-plugin-core-public.publicappinfo.md) | Public information about a registered [application](./kibana-plugin-core-public.app.md) | | [PublicUiSettingsParams](./kibana-plugin-core-public.publicuisettingsparams.md) | A sub-set of [UiSettingsParams](./kibana-plugin-core-public.uisettingsparams.md) exposed to the client-side. | diff --git a/docs/development/core/public/kibana-plugin-core-public.pluginopaqueid.md b/docs/development/core/public/kibana-plugin-core-public.pluginopaqueid.md deleted file mode 100644 index df5dc25c305c3..0000000000000 --- a/docs/development/core/public/kibana-plugin-core-public.pluginopaqueid.md +++ /dev/null @@ -1,12 +0,0 @@ - - -[Home](./index.md) > [kibana-plugin-core-public](./kibana-plugin-core-public.md) > [PluginOpaqueId](./kibana-plugin-core-public.pluginopaqueid.md) - -## PluginOpaqueId type - - -Signature: - -```typescript -export declare type PluginOpaqueId = symbol; -``` diff --git a/docs/development/core/server/kibana-plugin-core-server.discoveredplugin.configpath.md b/docs/development/core/server/kibana-plugin-core-server.discoveredplugin.configpath.md deleted file mode 100644 index f58c717c80395..0000000000000 --- a/docs/development/core/server/kibana-plugin-core-server.discoveredplugin.configpath.md +++ /dev/null @@ -1,13 +0,0 @@ - - -[Home](./index.md) > [kibana-plugin-core-server](./kibana-plugin-core-server.md) > [DiscoveredPlugin](./kibana-plugin-core-server.discoveredplugin.md) > [configPath](./kibana-plugin-core-server.discoveredplugin.configpath.md) - -## DiscoveredPlugin.configPath property - -Root configuration path used by the plugin, defaults to "id" in snake\_case format. - -Signature: - -```typescript -readonly configPath: ConfigPath; -``` diff --git a/docs/development/core/server/kibana-plugin-core-server.discoveredplugin.enabledonanonymouspages.md b/docs/development/core/server/kibana-plugin-core-server.discoveredplugin.enabledonanonymouspages.md deleted file mode 100644 index 472bac3dde7d8..0000000000000 --- a/docs/development/core/server/kibana-plugin-core-server.discoveredplugin.enabledonanonymouspages.md +++ /dev/null @@ -1,13 +0,0 @@ - - -[Home](./index.md) > [kibana-plugin-core-server](./kibana-plugin-core-server.md) > [DiscoveredPlugin](./kibana-plugin-core-server.discoveredplugin.md) > [enabledOnAnonymousPages](./kibana-plugin-core-server.discoveredplugin.enabledonanonymouspages.md) - -## DiscoveredPlugin.enabledOnAnonymousPages property - -Specifies whether this plugin - and its required dependencies - will be enabled for anonymous pages (login page, status page when configured, etc.) Default is false. - -Signature: - -```typescript -readonly enabledOnAnonymousPages?: boolean; -``` diff --git a/docs/development/core/server/kibana-plugin-core-server.discoveredplugin.id.md b/docs/development/core/server/kibana-plugin-core-server.discoveredplugin.id.md deleted file mode 100644 index 0a2d091a31fba..0000000000000 --- a/docs/development/core/server/kibana-plugin-core-server.discoveredplugin.id.md +++ /dev/null @@ -1,13 +0,0 @@ - - -[Home](./index.md) > [kibana-plugin-core-server](./kibana-plugin-core-server.md) > [DiscoveredPlugin](./kibana-plugin-core-server.discoveredplugin.md) > [id](./kibana-plugin-core-server.discoveredplugin.id.md) - -## DiscoveredPlugin.id property - -Identifier of the plugin. - -Signature: - -```typescript -readonly id: PluginName; -``` diff --git a/docs/development/core/server/kibana-plugin-core-server.discoveredplugin.md b/docs/development/core/server/kibana-plugin-core-server.discoveredplugin.md deleted file mode 100644 index 258acfa9ddc36..0000000000000 --- a/docs/development/core/server/kibana-plugin-core-server.discoveredplugin.md +++ /dev/null @@ -1,26 +0,0 @@ - - -[Home](./index.md) > [kibana-plugin-core-server](./kibana-plugin-core-server.md) > [DiscoveredPlugin](./kibana-plugin-core-server.discoveredplugin.md) - -## DiscoveredPlugin interface - -Small container object used to expose information about discovered plugins that may or may not have been started. - -Signature: - -```typescript -export interface DiscoveredPlugin -``` - -## Properties - -| Property | Type | Description | -| --- | --- | --- | -| [configPath](./kibana-plugin-core-server.discoveredplugin.configpath.md) | ConfigPath | Root configuration path used by the plugin, defaults to "id" in snake\_case format. | -| [enabledOnAnonymousPages?](./kibana-plugin-core-server.discoveredplugin.enabledonanonymouspages.md) | boolean | (Optional) Specifies whether this plugin - and its required dependencies - will be enabled for anonymous pages (login page, status page when configured, etc.) Default is false. | -| [id](./kibana-plugin-core-server.discoveredplugin.id.md) | PluginName | Identifier of the plugin. | -| [optionalPlugins](./kibana-plugin-core-server.discoveredplugin.optionalplugins.md) | readonly PluginName\[\] | An optional list of the other plugins that if installed and enabled \*\*may be\*\* leveraged by this plugin for some additional functionality but otherwise are not required for this plugin to work properly. | -| [requiredBundles](./kibana-plugin-core-server.discoveredplugin.requiredbundles.md) | readonly PluginName\[\] | List of plugin ids that this plugin's UI code imports modules from that are not in requiredPlugins. | -| [requiredPlugins](./kibana-plugin-core-server.discoveredplugin.requiredplugins.md) | readonly PluginName\[\] | An optional list of the other plugins that \*\*must be\*\* installed and enabled for this plugin to function properly. | -| [type](./kibana-plugin-core-server.discoveredplugin.type.md) | PluginType | Type of the plugin, defaults to standard. | - diff --git a/docs/development/core/server/kibana-plugin-core-server.discoveredplugin.optionalplugins.md b/docs/development/core/server/kibana-plugin-core-server.discoveredplugin.optionalplugins.md deleted file mode 100644 index 0fc42048be90c..0000000000000 --- a/docs/development/core/server/kibana-plugin-core-server.discoveredplugin.optionalplugins.md +++ /dev/null @@ -1,13 +0,0 @@ - - -[Home](./index.md) > [kibana-plugin-core-server](./kibana-plugin-core-server.md) > [DiscoveredPlugin](./kibana-plugin-core-server.discoveredplugin.md) > [optionalPlugins](./kibana-plugin-core-server.discoveredplugin.optionalplugins.md) - -## DiscoveredPlugin.optionalPlugins property - -An optional list of the other plugins that if installed and enabled \*\*may be\*\* leveraged by this plugin for some additional functionality but otherwise are not required for this plugin to work properly. - -Signature: - -```typescript -readonly optionalPlugins: readonly PluginName[]; -``` diff --git a/docs/development/core/server/kibana-plugin-core-server.discoveredplugin.requiredbundles.md b/docs/development/core/server/kibana-plugin-core-server.discoveredplugin.requiredbundles.md deleted file mode 100644 index 6d54adb5236ea..0000000000000 --- a/docs/development/core/server/kibana-plugin-core-server.discoveredplugin.requiredbundles.md +++ /dev/null @@ -1,18 +0,0 @@ - - -[Home](./index.md) > [kibana-plugin-core-server](./kibana-plugin-core-server.md) > [DiscoveredPlugin](./kibana-plugin-core-server.discoveredplugin.md) > [requiredBundles](./kibana-plugin-core-server.discoveredplugin.requiredbundles.md) - -## DiscoveredPlugin.requiredBundles property - -List of plugin ids that this plugin's UI code imports modules from that are not in `requiredPlugins`. - -Signature: - -```typescript -readonly requiredBundles: readonly PluginName[]; -``` - -## Remarks - -The plugins listed here will be loaded in the browser, even if the plugin is disabled. Required by `@kbn/optimizer` to support cross-plugin imports. "core" and plugins already listed in `requiredPlugins` do not need to be duplicated here. - diff --git a/docs/development/core/server/kibana-plugin-core-server.discoveredplugin.requiredplugins.md b/docs/development/core/server/kibana-plugin-core-server.discoveredplugin.requiredplugins.md deleted file mode 100644 index b039891904669..0000000000000 --- a/docs/development/core/server/kibana-plugin-core-server.discoveredplugin.requiredplugins.md +++ /dev/null @@ -1,13 +0,0 @@ - - -[Home](./index.md) > [kibana-plugin-core-server](./kibana-plugin-core-server.md) > [DiscoveredPlugin](./kibana-plugin-core-server.discoveredplugin.md) > [requiredPlugins](./kibana-plugin-core-server.discoveredplugin.requiredplugins.md) - -## DiscoveredPlugin.requiredPlugins property - -An optional list of the other plugins that \*\*must be\*\* installed and enabled for this plugin to function properly. - -Signature: - -```typescript -readonly requiredPlugins: readonly PluginName[]; -``` diff --git a/docs/development/core/server/kibana-plugin-core-server.discoveredplugin.type.md b/docs/development/core/server/kibana-plugin-core-server.discoveredplugin.type.md deleted file mode 100644 index 0a33be0d63f5c..0000000000000 --- a/docs/development/core/server/kibana-plugin-core-server.discoveredplugin.type.md +++ /dev/null @@ -1,13 +0,0 @@ - - -[Home](./index.md) > [kibana-plugin-core-server](./kibana-plugin-core-server.md) > [DiscoveredPlugin](./kibana-plugin-core-server.discoveredplugin.md) > [type](./kibana-plugin-core-server.discoveredplugin.type.md) - -## DiscoveredPlugin.type property - -Type of the plugin, defaults to `standard`. - -Signature: - -```typescript -readonly type: PluginType; -``` diff --git a/docs/development/core/server/kibana-plugin-core-server.kibanaresponsefactory.md b/docs/development/core/server/kibana-plugin-core-server.kibanaresponsefactory.md index be28cd76b16ee..e02f208ae86ac 100644 --- a/docs/development/core/server/kibana-plugin-core-server.kibanaresponsefactory.md +++ b/docs/development/core/server/kibana-plugin-core-server.kibanaresponsefactory.md @@ -10,7 +10,7 @@ Set of helpers used to create `KibanaResponse` to form HTTP response on an incom ```typescript kibanaResponseFactory: { - custom: | Error | Buffer | { + custom: | Buffer | Error | { message: string | Error; attributes?: ResponseErrorAttributes | undefined; } | Stream | undefined>(options: CustomHttpResponseOptions) => KibanaResponse; @@ -34,7 +34,7 @@ kibanaResponseFactory: { message: string | Error; attributes?: ResponseErrorAttributes | undefined; }>; - customError: (options: CustomHttpResponseOptions) => KibanaResponse) => KibanaResponse; diff --git a/docs/development/core/server/kibana-plugin-core-server.md b/docs/development/core/server/kibana-plugin-core-server.md index 7cb8bd2e78428..7a923aca3a771 100644 --- a/docs/development/core/server/kibana-plugin-core-server.md +++ b/docs/development/core/server/kibana-plugin-core-server.md @@ -37,7 +37,6 @@ The plugin integrates with the core system via lifecycle events: `setup` | --- | --- | | [AuthResultType](./kibana-plugin-core-server.authresulttype.md) | | | [AuthStatus](./kibana-plugin-core-server.authstatus.md) | Status indicating an outcome of the authentication. | -| [PluginType](./kibana-plugin-core-server.plugintype.md) | | ## Interfaces @@ -68,7 +67,6 @@ The plugin integrates with the core system via lifecycle events: `setup` | [DeprecationsClient](./kibana-plugin-core-server.deprecationsclient.md) | Server-side client that provides access to fetch all Kibana deprecations | | [DeprecationSettings](./kibana-plugin-core-server.deprecationsettings.md) | UiSettings deprecation field options. | | [DeprecationsServiceSetup](./kibana-plugin-core-server.deprecationsservicesetup.md) | The deprecations service provides a way for the Kibana platform to communicate deprecated features and configs with its users. These deprecations are only communicated if the deployment is using these features. Allowing for a user tailored experience for upgrading the stack version.The Deprecation service is consumed by the upgrade assistant to assist with the upgrade experience.If a deprecated feature can be resolved without manual user intervention. Using correctiveActions.api allows the Upgrade Assistant to use this api to correct the deprecation upon a user trigger. | -| [DiscoveredPlugin](./kibana-plugin-core-server.discoveredplugin.md) | Small container object used to expose information about discovered plugins that may or may not have been started. | | [DocLinksServiceSetup](./kibana-plugin-core-server.doclinksservicesetup.md) | | | [ElasticsearchConfigPreboot](./kibana-plugin-core-server.elasticsearchconfigpreboot.md) | A limited set of Elasticsearch configuration entries exposed to the preboot plugins at setup. | | [ElasticsearchErrorDetails](./kibana-plugin-core-server.elasticsearcherrordetails.md) | | @@ -301,8 +299,6 @@ The plugin integrates with the core system via lifecycle events: `setup` | [OnPreRoutingHandler](./kibana-plugin-core-server.onpreroutinghandler.md) | See [OnPreRoutingToolkit](./kibana-plugin-core-server.onpreroutingtoolkit.md). | | [PluginConfigSchema](./kibana-plugin-core-server.pluginconfigschema.md) | Dedicated type for plugin configuration schema. | | [PluginInitializer](./kibana-plugin-core-server.plugininitializer.md) | The plugin export at the root of a plugin's server directory should conform to this interface. | -| [PluginName](./kibana-plugin-core-server.pluginname.md) | Dedicated type for plugin name/id that is supposed to make Map/Set/Arrays that use it as a key or value more obvious. | -| [PluginOpaqueId](./kibana-plugin-core-server.pluginopaqueid.md) | | | [PublicUiSettingsParams](./kibana-plugin-core-server.publicuisettingsparams.md) | A sub-set of [UiSettingsParams](./kibana-plugin-core-server.uisettingsparams.md) exposed to the client-side. | | [RedirectResponseOptions](./kibana-plugin-core-server.redirectresponseoptions.md) | HTTP response parameters for redirection response | | [RequestHandler](./kibana-plugin-core-server.requesthandler.md) | A function executed when route path matched requested resource path. Request handler is expected to return a result of one of [KibanaResponseFactory](./kibana-plugin-core-server.kibanaresponsefactory.md) functions. If anything else is returned, or an error is thrown, the HTTP service will automatically log the error and respond 500 - Internal Server Error. | diff --git a/docs/development/core/server/kibana-plugin-core-server.pluginname.md b/docs/development/core/server/kibana-plugin-core-server.pluginname.md deleted file mode 100644 index b4e0a3bc3bc1f..0000000000000 --- a/docs/development/core/server/kibana-plugin-core-server.pluginname.md +++ /dev/null @@ -1,13 +0,0 @@ - - -[Home](./index.md) > [kibana-plugin-core-server](./kibana-plugin-core-server.md) > [PluginName](./kibana-plugin-core-server.pluginname.md) - -## PluginName type - -Dedicated type for plugin name/id that is supposed to make Map/Set/Arrays that use it as a key or value more obvious. - -Signature: - -```typescript -export declare type PluginName = string; -``` diff --git a/docs/development/core/server/kibana-plugin-core-server.pluginopaqueid.md b/docs/development/core/server/kibana-plugin-core-server.pluginopaqueid.md deleted file mode 100644 index 648cad57a3b6f..0000000000000 --- a/docs/development/core/server/kibana-plugin-core-server.pluginopaqueid.md +++ /dev/null @@ -1,12 +0,0 @@ - - -[Home](./index.md) > [kibana-plugin-core-server](./kibana-plugin-core-server.md) > [PluginOpaqueId](./kibana-plugin-core-server.pluginopaqueid.md) - -## PluginOpaqueId type - - -Signature: - -```typescript -export declare type PluginOpaqueId = symbol; -``` diff --git a/docs/development/core/server/kibana-plugin-core-server.plugintype.md b/docs/development/core/server/kibana-plugin-core-server.plugintype.md deleted file mode 100644 index e4a252a392949..0000000000000 --- a/docs/development/core/server/kibana-plugin-core-server.plugintype.md +++ /dev/null @@ -1,20 +0,0 @@ - - -[Home](./index.md) > [kibana-plugin-core-server](./kibana-plugin-core-server.md) > [PluginType](./kibana-plugin-core-server.plugintype.md) - -## PluginType enum - - -Signature: - -```typescript -export declare enum PluginType -``` - -## Enumeration Members - -| Member | Value | Description | -| --- | --- | --- | -| preboot | "preboot" | Preboot plugins are special-purpose plugins that only function during preboot stage. | -| standard | "standard" | Standard plugins are plugins that start to function as soon as Kibana is fully booted and are active until it shuts down. | - diff --git a/docs/settings/apm-settings.asciidoc b/docs/settings/apm-settings.asciidoc index 2cfd3169b45a3..65f291a1c11cb 100644 --- a/docs/settings/apm-settings.asciidoc +++ b/docs/settings/apm-settings.asciidoc @@ -18,9 +18,14 @@ It is enabled by default. // Any changes made in this file will be seen there as well. // tag::apm-indices-settings[] -Index defaults can be changed in the APM app. Select **Settings** > **Indices**. +The APM app uses data views to query APM indices. +To change the default APM indices that the APM app queries, open the APM app and select **Settings** > **Indices**. Index settings in the APM app take precedence over those set in `kibana.yml`. +Starting in version 8.2.0, APM indices are {kib} Spaces-aware; +Changes to APM index settings will only apply to the currently enabled space. +See <> for more information. + [role="screenshot"] image::settings/images/apm-settings.png[APM app settings in Kibana] @@ -72,7 +77,7 @@ Maximum number of child items displayed when viewing trace details. Defaults to Index name where Observability annotations are stored. Defaults to `observability-annotations`. `xpack.apm.searchAggregatedTransactions` {ess-icon}:: -Enables Transaction histogram metrics. Defaults to `auto` so the UI will use metric indices over transaction indices for transactions if aggregated transactions are found. When set to `always`, additional configuration in APM Server is required. When set to `never` and aggregated transactions are not used. +Enables Transaction histogram metrics. Defaults to `auto` so the UI will use metric indices over transaction indices for transactions if aggregated transactions are found. When set to `always`, additional configuration in APM Server is required. When set to `never` and aggregated transactions are not used. + See {apm-guide-ref}/transaction-metrics.html[Configure transaction metrics] for more information. diff --git a/docs/settings/images/apm-settings.png b/docs/settings/images/apm-settings.png index 876f135da9356..f3adae184348f 100644 Binary files a/docs/settings/images/apm-settings.png and b/docs/settings/images/apm-settings.png differ diff --git a/docs/setup/upgrade/resolving-migration-failures.asciidoc b/docs/setup/upgrade/resolving-migration-failures.asciidoc index 2c3f66f2354dd..10aabdcabd5e2 100644 --- a/docs/setup/upgrade/resolving-migration-failures.asciidoc +++ b/docs/setup/upgrade/resolving-migration-failures.asciidoc @@ -89,9 +89,8 @@ The dashboard with the `e3c5fc71-ac71-4805-bcab-2bcc9cc93275` ID that belongs to [[unknown-saved-object-types]] ==== Documents for unknown saved objects Migrations will fail if saved objects belong to an unknown -saved object type. Unknown saved objects are typically caused by -to the {es} index, or by disabling a plugin that had previously -created a saved object. +saved object type. Unknown saved objects are typically caused by performing manual modifications +to the {es} index (no longer allowed in 8.x), or by disabling a plugin that had previously created a saved object. We recommend using the {kibana-ref-all}/7.17/upgrade-assistant.html[Upgrade Assistant] to discover and remedy any unknown saved object types. {kib} version 7.17.0 deployments containing unknown saved @@ -106,7 +105,20 @@ If you fail to remedy this, your upgrade to 8.0+ will fail with a message like: [source,sh] -------------------------------------------- -Unable to complete saved object migrations for the [.kibana] index: Migration failed because documents were found for unknown saved object types. To proceed with the migration, please delete these documents from the ".kibana_7.17.0_001" index. +Unable to complete saved object migrations for the [.kibana] index: Migration failed because some documents were found which use unknown saved object types: +- "firstDocId" (type "someType") +- "secondtDocId" (type "someType") +- "thirdDocId" (type "someOtherType") + +To proceed with the migration you can configure Kibana to discard unknown saved objects for this migration. +-------------------------------------------- + +To proceed with the migration, re-enable any plugins that previously created these saved objects. Alternatively, carefully review the list of unknown saved objects in the Kibana log entry. If the corresponding disabled plugins and their associated saved objects will no longer be used, they can be deleted by setting the configuration option `migrations.discardUnknownObjects` to the version you are upgrading to. +For instance, for an upgrade to 8.3.0, you can define the following setting in kibana.yml: + +[source,yaml] +-------------------------------------------- +migrations.discardUnknownObjects: "8.3.0" -------------------------------------------- [float] @@ -181,7 +193,7 @@ PUT /_cluster/settings { "transient": { "cluster.routing.allocation.enable": null - }, + }, "persistent": { "cluster.routing.allocation.enable": null } @@ -193,4 +205,4 @@ PUT /_cluster/settings ==== {es} cluster shard limit exceeded When upgrading, {kib} creates new indices requiring a small number of new shards. If the amount of open {es} shards approaches or exceeds the {es} `cluster.max_shards_per_node` setting, {kib} is unable to complete the upgrade. Ensure that {kib} is able to add at least 10 more shards by removing indices to clear up resources, or by increasing the `cluster.max_shards_per_node` setting. -For more information, refer to the documentation on {ref}/allocation-total-shards.html[total shards per node]. \ No newline at end of file +For more information, refer to the documentation on {ref}/allocation-total-shards.html[total shards per node]. diff --git a/nav-kibana-dev.docnav.json b/nav-kibana-dev.docnav.json index 9a170aac79e58..1473bf4d59a0e 100644 --- a/nav-kibana-dev.docnav.json +++ b/nav-kibana-dev.docnav.json @@ -205,7 +205,9 @@ { "id": "kibDevDocsOpsAmbientStorybookTypes" }, { "id": "kibDevDocsOpsAmbientUiTypes" }, { "id": "kibDevDocsOpsTestSubjSelector" }, - { "id": "kibDevDocsOpsBazelRunner" } + { "id": "kibDevDocsOpsBazelRunner" }, + { "id": "kibDevDocsOpsCliDevMode" }, + { "id": "kibDevDocsOpsEs" } ] } ] diff --git a/package.json b/package.json index c6d3d11790b17..cdf015ca98521 100644 --- a/package.json +++ b/package.json @@ -145,7 +145,16 @@ "@kbn/apm-utils": "link:bazel-bin/packages/kbn-apm-utils", "@kbn/coloring": "link:bazel-bin/packages/kbn-coloring", "@kbn/config": "link:bazel-bin/packages/kbn-config", + "@kbn/config-mocks": "link:bazel-bin/packages/kbn-config-mocks", "@kbn/config-schema": "link:bazel-bin/packages/kbn-config-schema", + "@kbn/core-base-browser-internal": "link:bazel-bin/packages/core/base/core-base-browser-internal", + "@kbn/core-base-common": "link:bazel-bin/packages/core/base/core-base-common", + "@kbn/core-base-common-internal": "link:bazel-bin/packages/core/base/core-base-common-internal", + "@kbn/core-base-server-internal": "link:bazel-bin/packages/core/base/core-base-server-internal", + "@kbn/core-injected-metadata-browser": "link:bazel-bin/packages/core/injected-metadata/core-injected-metadata-browser", + "@kbn/core-injected-metadata-browser-internal": "link:bazel-bin/packages/core/injected-metadata/core-injected-metadata-browser-internal", + "@kbn/core-injected-metadata-browser-mocks": "link:bazel-bin/packages/core/injected-metadata/core-injected-metadata-browser-mocks", + "@kbn/core-injected-metadata-common-internal": "link:bazel-bin/packages/core/injected-metadata/core-injected-metadata-common-internal", "@kbn/crypto": "link:bazel-bin/packages/kbn-crypto", "@kbn/datemath": "link:bazel-bin/packages/kbn-datemath", "@kbn/doc-links": "link:bazel-bin/packages/kbn-doc-links", @@ -245,7 +254,7 @@ "constate": "^1.3.2", "content-disposition": "0.5.3", "copy-to-clipboard": "^3.0.8", - "core-js": "^3.22.5", + "core-js": "^3.22.7", "cronstrue": "^1.51.0", "cytoscape": "^3.10.0", "cytoscape-dagre": "^2.2.2", @@ -253,7 +262,7 @@ "d3-array": "1.2.4", "d3-cloud": "1.2.5", "d3-interpolate": "^3.0.1", - "d3-scale": "1.0.7", + "d3-scale": "^2.2.2", "d3-shape": "^1.1.0", "d3-time": "^1.1.0", "dedent": "^0.7.0", @@ -568,7 +577,7 @@ "@types/d3": "^3.5.43", "@types/d3-array": "^1.2.7", "@types/d3-interpolate": "^2.0.0", - "@types/d3-scale": "^2.1.1", + "@types/d3-scale": "^2.2.6", "@types/d3-shape": "^1.3.1", "@types/d3-time": "^1.0.10", "@types/d3-time-format": "^2.1.1", @@ -633,7 +642,21 @@ "@types/kbn__cli-dev-mode": "link:bazel-bin/packages/kbn-cli-dev-mode/npm_module_types", "@types/kbn__coloring": "link:bazel-bin/packages/kbn-coloring/npm_module_types", "@types/kbn__config": "link:bazel-bin/packages/kbn-config/npm_module_types", + "@types/kbn__config-mocks": "link:bazel-bin/packages/kbn-config-mocks/npm_module_types", "@types/kbn__config-schema": "link:bazel-bin/packages/kbn-config-schema/npm_module_types", + "@types/kbn__core-base-browser": "link:bazel-bin/packages/core/base/core-base-browser/npm_module_types", + "@types/kbn__core-base-browser-internal": "link:bazel-bin/packages/core/base/core-base-browser-internal/npm_module_types", + "@types/kbn__core-base-common": "link:bazel-bin/packages/core/base/core-base-common/npm_module_types", + "@types/kbn__core-base-common-internal": "link:bazel-bin/packages/core/base/core-base-common-internal/npm_module_types", + "@types/kbn__core-base-server": "link:bazel-bin/packages/core/base/core-base-server/npm_module_types", + "@types/kbn__core-base-server-internal": "link:bazel-bin/packages/core/base/core-base-server-internal/npm_module_types", + "@types/kbn__core-common-internal-base": "link:bazel-bin/packages/core/common/internal-base/npm_module_types", + "@types/kbn__core-injected-metadata-browser": "link:bazel-bin/packages/core/injected-metadata/core-injected-metadata-browser/npm_module_types", + "@types/kbn__core-injected-metadata-browser-internal": "link:bazel-bin/packages/core/injected-metadata/core-injected-metadata-browser-internal/npm_module_types", + "@types/kbn__core-injected-metadata-browser-mocks": "link:bazel-bin/packages/core/injected-metadata/core-injected-metadata-browser-mocks/npm_module_types", + "@types/kbn__core-injected-metadata-common-internal": "link:bazel-bin/packages/core/injected-metadata/core-injected-metadata-common-internal/npm_module_types", + "@types/kbn__core-public-internal-base": "link:bazel-bin/packages/core/public/internal-base/npm_module_types", + "@types/kbn__core-server-internal-base": "link:bazel-bin/packages/core/server/internal-base/npm_module_types", "@types/kbn__crypto": "link:bazel-bin/packages/kbn-crypto/npm_module_types", "@types/kbn__datemath": "link:bazel-bin/packages/kbn-datemath/npm_module_types", "@types/kbn__dev-cli-errors": "link:bazel-bin/packages/kbn-dev-cli-errors/npm_module_types", diff --git a/packages/BUILD.bazel b/packages/BUILD.bazel index 5d503b5fff46f..32a9f77a32796 100644 --- a/packages/BUILD.bazel +++ b/packages/BUILD.bazel @@ -14,6 +14,14 @@ filegroup( "//packages/analytics/shippers/elastic_v3/common:build", "//packages/analytics/shippers/elastic_v3/server:build", "//packages/analytics/shippers/fullstory:build", + "//packages/core/base/core-base-browser-internal:build", + "//packages/core/base/core-base-common-internal:build", + "//packages/core/base/core-base-common:build", + "//packages/core/base/core-base-server-internal:build", + "//packages/core/injected-metadata/core-injected-metadata-browser-internal:build", + "//packages/core/injected-metadata/core-injected-metadata-browser-mocks:build", + "//packages/core/injected-metadata/core-injected-metadata-browser:build", + "//packages/core/injected-metadata/core-injected-metadata-common-internal:build", "//packages/elastic-apm-synthtrace:build", "//packages/elastic-safer-lodash-set:build", "//packages/kbn-ace:build", @@ -33,6 +41,7 @@ filegroup( "//packages/kbn-ci-stats-reporter:build", "//packages/kbn-cli-dev-mode:build", "//packages/kbn-coloring:build", + "//packages/kbn-config-mocks:build", "//packages/kbn-config-schema:build", "//packages/kbn-config:build", "//packages/kbn-crypto:build", @@ -131,6 +140,14 @@ filegroup( "//packages/analytics/shippers/elastic_v3/common:build_types", "//packages/analytics/shippers/elastic_v3/server:build_types", "//packages/analytics/shippers/fullstory:build_types", + "//packages/core/base/core-base-browser-internal:build_types", + "//packages/core/base/core-base-common-internal:build_types", + "//packages/core/base/core-base-common:build_types", + "//packages/core/base/core-base-server-internal:build_types", + "//packages/core/injected-metadata/core-injected-metadata-browser-internal:build_types", + "//packages/core/injected-metadata/core-injected-metadata-browser-mocks:build_types", + "//packages/core/injected-metadata/core-injected-metadata-browser:build_types", + "//packages/core/injected-metadata/core-injected-metadata-common-internal:build_types", "//packages/elastic-apm-synthtrace:build_types", "//packages/elastic-safer-lodash-set:build_types", "//packages/kbn-ace:build_types", @@ -146,6 +163,7 @@ filegroup( "//packages/kbn-ci-stats-reporter:build_types", "//packages/kbn-cli-dev-mode:build_types", "//packages/kbn-coloring:build_types", + "//packages/kbn-config-mocks:build_types", "//packages/kbn-config-schema:build_types", "//packages/kbn-config:build_types", "//packages/kbn-crypto:build_types", diff --git a/packages/analytics/client/src/events/types.ts b/packages/analytics/client/src/events/types.ts index 6d31f88621364..ea32803abc3a2 100644 --- a/packages/analytics/client/src/events/types.ts +++ b/packages/analytics/client/src/events/types.ts @@ -32,6 +32,10 @@ export interface EventContext { * The Cloud ID. */ cloudId?: string; + /** + * `true` if the user is logged in via the Elastic Cloud authentication provider. + */ + isElasticCloudUser?: boolean; /** * The product's version. */ diff --git a/packages/analytics/shippers/fullstory/src/fullstory_shipper.test.ts b/packages/analytics/shippers/fullstory/src/fullstory_shipper.test.ts index 10f24ba5b5e14..6707c509a7e83 100644 --- a/packages/analytics/shippers/fullstory/src/fullstory_shipper.test.ts +++ b/packages/analytics/shippers/fullstory/src/fullstory_shipper.test.ts @@ -52,9 +52,27 @@ describe('FullStoryShipper', () => { }); describe('FS.setUserVars', () => { - test('calls `setUserVars` when version is provided', () => { - fullstoryShipper.extendContext({ version: '1.2.3' }); + test('calls `setUserVars` when isElasticCloudUser: true is provided', () => { + fullstoryShipper.extendContext({ isElasticCloudUser: true }); + expect(fullStoryApiMock.setUserVars).toHaveBeenCalledWith({ + // eslint-disable-next-line @typescript-eslint/naming-convention + isElasticCloudUser_bool: true, + }); + }); + + test('calls `setUserVars` when isElasticCloudUser: false is provided', () => { + fullstoryShipper.extendContext({ isElasticCloudUser: false }); expect(fullStoryApiMock.setUserVars).toHaveBeenCalledWith({ + // eslint-disable-next-line @typescript-eslint/naming-convention + isElasticCloudUser_bool: false, + }); + }); + }); + + describe('FS.setVars', () => { + test('calls `setVars` when version is provided', () => { + fullstoryShipper.extendContext({ version: '1.2.3' }); + expect(fullStoryApiMock.setVars).toHaveBeenCalledWith('page', { version_str: '1.2.3', version_major_int: 1, version_minor_int: 2, @@ -62,14 +80,20 @@ describe('FullStoryShipper', () => { }); }); - test('calls `setUserVars` when cloudId is provided', () => { + test('calls `setVars` when cloudId is provided', () => { fullstoryShipper.extendContext({ cloudId: 'test-es-org-id' }); - expect(fullStoryApiMock.setUserVars).toHaveBeenCalledWith({ org_id_str: 'test-es-org-id' }); + expect(fullStoryApiMock.setVars).toHaveBeenCalledWith('page', { + // eslint-disable-next-line @typescript-eslint/naming-convention + cloudId_str: 'test-es-org-id', + org_id_str: 'test-es-org-id', + }); }); test('merges both: version and cloudId if both are provided', () => { fullstoryShipper.extendContext({ version: '1.2.3', cloudId: 'test-es-org-id' }); - expect(fullStoryApiMock.setUserVars).toHaveBeenCalledWith({ + expect(fullStoryApiMock.setVars).toHaveBeenCalledWith('page', { + // eslint-disable-next-line @typescript-eslint/naming-convention + cloudId_str: 'test-es-org-id', org_id_str: 'test-es-org-id', version_str: '1.2.3', version_major_int: 1, @@ -77,9 +101,7 @@ describe('FullStoryShipper', () => { version_patch_int: 3, }); }); - }); - describe('FS.setVars', () => { test('adds the rest of the context to `setVars`', () => { const context = { userId: 'test-user-id', @@ -88,7 +110,16 @@ describe('FullStoryShipper', () => { foo: 'bar', }; fullstoryShipper.extendContext(context); - expect(fullStoryApiMock.setVars).toHaveBeenCalledWith('page', { foo_str: 'bar' }); + expect(fullStoryApiMock.setVars).toHaveBeenCalledWith('page', { + version_str: '1.2.3', + version_major_int: 1, + version_minor_int: 2, + version_patch_int: 3, + // eslint-disable-next-line @typescript-eslint/naming-convention + cloudId_str: 'test-es-org-id', + org_id_str: 'test-es-org-id', + foo_str: 'bar', + }); }); }); }); diff --git a/packages/analytics/shippers/fullstory/src/fullstory_shipper.ts b/packages/analytics/shippers/fullstory/src/fullstory_shipper.ts index 26de46f625736..0bf00e91c7d0e 100644 --- a/packages/analytics/shippers/fullstory/src/fullstory_shipper.ts +++ b/packages/analytics/shippers/fullstory/src/fullstory_shipper.ts @@ -14,9 +14,9 @@ import type { } from '@kbn/analytics-client'; import type { FullStoryApi } from './types'; import type { FullStorySnippetConfig } from './load_snippet'; -import { getParsedVersion } from './get_parsed_version'; import { formatPayload } from './format_payload'; import { loadSnippet } from './load_snippet'; +import { getParsedVersion } from './get_parsed_version'; /** * FullStory shipper configuration. @@ -62,7 +62,7 @@ export class FullStoryShipper implements IShipper { this.initContext.logger.debug(`Received context ${JSON.stringify(newContext)}`); // FullStory requires different APIs for different type of contexts. - const { userId, version, cloudId, ...nonUserContext } = newContext; + const { userId, isElasticCloudUser, ...nonUserContext } = newContext; // Call it only when the userId changes if (userId && userId !== this.lastUserId) { @@ -73,14 +73,15 @@ export class FullStoryShipper implements IShipper { } // User-level context - if (version || cloudId) { + if (typeof isElasticCloudUser === 'boolean') { this.initContext.logger.debug( - `Calling FS.setUserVars with version ${version} and cloudId ${cloudId}` + `Calling FS.setUserVars with isElasticCloudUser ${isElasticCloudUser}` + ); + this.fullStoryApi.setUserVars( + formatPayload({ + isElasticCloudUser, + }) ); - this.fullStoryApi.setUserVars({ - ...(version ? getParsedVersion(version) : {}), - ...(cloudId ? { org_id_str: cloudId } : {}), - }); } // Event-level context. At the moment, only the scope `page` is supported by FullStory for webapps. @@ -88,11 +89,15 @@ export class FullStoryShipper implements IShipper { // Keeping these fields for backwards compatibility. if (nonUserContext.applicationId) nonUserContext.app_id = nonUserContext.applicationId; if (nonUserContext.entityId) nonUserContext.ent_id = nonUserContext.entityId; + if (nonUserContext.cloudId) nonUserContext.org_id = nonUserContext.cloudId; this.initContext.logger.debug( `Calling FS.setVars with context ${JSON.stringify(nonUserContext)}` ); - this.fullStoryApi.setVars('page', formatPayload(nonUserContext)); + this.fullStoryApi.setVars('page', { + ...formatPayload(nonUserContext), + ...(nonUserContext.version ? getParsedVersion(nonUserContext.version) : {}), + }); } } diff --git a/packages/core/base/core-base-browser-internal/BUILD.bazel b/packages/core/base/core-base-browser-internal/BUILD.bazel new file mode 100644 index 0000000000000..692c1f45ced6f --- /dev/null +++ b/packages/core/base/core-base-browser-internal/BUILD.bazel @@ -0,0 +1,108 @@ +load("@npm//@bazel/typescript:index.bzl", "ts_config") +load("@build_bazel_rules_nodejs//:index.bzl", "js_library") +load("//src/dev/bazel:index.bzl", "jsts_transpiler", "pkg_npm", "pkg_npm_types", "ts_project") + +PKG_DIRNAME = "core-base-browser-internal" +PKG_REQUIRE_NAME = "@kbn/core-base-browser-internal" + +SOURCE_FILES = glob( + [ + "src/**/*.ts", + "src/**/*.tsx", + ], + exclude = [ + "**/*.test.*", + ], +) + +SRCS = SOURCE_FILES + +filegroup( + name = "srcs", + srcs = SRCS, +) + +NPM_MODULE_EXTRA_FILES = [ + "package.json", +] + +RUNTIME_DEPS = [ + "@npm//react" +] + +TYPES_DEPS = [ + "@npm//@types/node", + "@npm//@types/jest", + "@npm//@types/react", + "//packages/kbn-utility-types:npm_module_types", + "//packages/kbn-config:npm_module_types", + "//packages/core/base/core-base-common-internal:npm_module_types", +] + +jsts_transpiler( + name = "target_node", + srcs = SRCS, + build_pkg_name = package_name(), +) + +jsts_transpiler( + name = "target_web", + srcs = SRCS, + build_pkg_name = package_name(), + web = True, +) + +ts_config( + name = "tsconfig", + src = "tsconfig.json", + deps = [ + "//:tsconfig.base.json", + "//:tsconfig.bazel.json", + ], +) + +ts_project( + name = "tsc_types", + args = ['--pretty'], + srcs = SRCS, + deps = TYPES_DEPS, + declaration = True, + emit_declaration_only = True, + out_dir = "target_types", + root_dir = "src", + tsconfig = ":tsconfig", +) + +js_library( + name = PKG_DIRNAME, + srcs = NPM_MODULE_EXTRA_FILES, + deps = RUNTIME_DEPS + [":target_node", ":target_web"], + package_name = PKG_REQUIRE_NAME, + visibility = ["//visibility:public"], +) + +pkg_npm( + name = "npm_module", + deps = [":" + PKG_DIRNAME], +) + +filegroup( + name = "build", + srcs = [":npm_module"], + visibility = ["//visibility:public"], +) + +pkg_npm_types( + name = "npm_module_types", + srcs = SRCS, + deps = [":tsc_types"], + package_name = PKG_REQUIRE_NAME, + tsconfig = ":tsconfig", + visibility = ["//visibility:public"], +) + +filegroup( + name = "build_types", + srcs = [":npm_module_types"], + visibility = ["//visibility:public"], +) diff --git a/packages/core/base/core-base-browser-internal/README.md b/packages/core/base/core-base-browser-internal/README.md new file mode 100644 index 0000000000000..e13dc2439bdce --- /dev/null +++ b/packages/core/base/core-base-browser-internal/README.md @@ -0,0 +1,3 @@ +# @kbn/core-base-browser-internal + +Package containing base browser internal types of Core diff --git a/packages/core/base/core-base-browser-internal/jest.config.js b/packages/core/base/core-base-browser-internal/jest.config.js new file mode 100644 index 0000000000000..def3cf07ee629 --- /dev/null +++ b/packages/core/base/core-base-browser-internal/jest.config.js @@ -0,0 +1,13 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +module.exports = { + preset: '@kbn/test', + rootDir: '../../../..', + roots: ['/packages/core/base/core-base-browser-internal'], +}; diff --git a/packages/core/base/core-base-browser-internal/package.json b/packages/core/base/core-base-browser-internal/package.json new file mode 100644 index 0000000000000..a790e3c216035 --- /dev/null +++ b/packages/core/base/core-base-browser-internal/package.json @@ -0,0 +1,8 @@ +{ + "name": "@kbn/core-base-browser-internal", + "private": true, + "version": "1.0.0", + "main": "./target_node/index.js", + "browser": "./target_web/index.js", + "license": "SSPL-1.0 OR Elastic License 2.0" +} diff --git a/packages/core/base/core-base-browser-internal/src/core_context.ts b/packages/core/base/core-base-browser-internal/src/core_context.ts new file mode 100644 index 0000000000000..cf981dd752453 --- /dev/null +++ b/packages/core/base/core-base-browser-internal/src/core_context.ts @@ -0,0 +1,19 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import type { EnvironmentMode, PackageInfo } from '@kbn/config'; +import type { CoreId } from '@kbn/core-base-common-internal'; + +/** @internal */ +export interface CoreContext { + coreId: CoreId; + env: { + mode: Readonly; + packageInfo: Readonly; + }; +} diff --git a/packages/core/base/core-base-browser-internal/src/index.ts b/packages/core/base/core-base-browser-internal/src/index.ts new file mode 100644 index 0000000000000..e2338f65d2a50 --- /dev/null +++ b/packages/core/base/core-base-browser-internal/src/index.ts @@ -0,0 +1,10 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +export type { CoreContext } from './core_context'; +export type { CoreService } from './services'; diff --git a/packages/core/base/core-base-browser-internal/src/services.ts b/packages/core/base/core-base-browser-internal/src/services.ts new file mode 100644 index 0000000000000..a6d41b5cb8a73 --- /dev/null +++ b/packages/core/base/core-base-browser-internal/src/services.ts @@ -0,0 +1,20 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { MaybePromise } from '@kbn/utility-types'; + +/** + * Base interface that all core service should implement + * + * @internal + */ +export interface CoreService { + setup(...params: any[]): MaybePromise; + start(...params: any[]): MaybePromise; + stop(): MaybePromise; +} diff --git a/packages/core/base/core-base-browser-internal/tsconfig.json b/packages/core/base/core-base-browser-internal/tsconfig.json new file mode 100644 index 0000000000000..dc20b641b1989 --- /dev/null +++ b/packages/core/base/core-base-browser-internal/tsconfig.json @@ -0,0 +1,18 @@ +{ + "extends": "../../../../tsconfig.bazel.json", + "compilerOptions": { + "declaration": true, + "emitDeclarationOnly": true, + "outDir": "target_types", + "rootDir": "src", + "stripInternal": false, + "types": [ + "jest", + "node", + "react" + ] + }, + "include": [ + "src/**/*" + ] +} diff --git a/packages/core/base/core-base-common-internal/BUILD.bazel b/packages/core/base/core-base-common-internal/BUILD.bazel new file mode 100644 index 0000000000000..9095c8da9f311 --- /dev/null +++ b/packages/core/base/core-base-common-internal/BUILD.bazel @@ -0,0 +1,105 @@ +load("@npm//@bazel/typescript:index.bzl", "ts_config") +load("@build_bazel_rules_nodejs//:index.bzl", "js_library") +load("//src/dev/bazel:index.bzl", "jsts_transpiler", "pkg_npm", "pkg_npm_types", "ts_project") + +PKG_DIRNAME = "core-base-common-internal" +PKG_REQUIRE_NAME = "@kbn/core-base-common-internal" + +SOURCE_FILES = glob( + [ + "src/**/*.ts", + "src/**/*.tsx", + ], + exclude = [ + "**/*.test.*", + ], +) + +SRCS = SOURCE_FILES + +filegroup( + name = "srcs", + srcs = SRCS, +) + +NPM_MODULE_EXTRA_FILES = [ + "package.json", +] + +RUNTIME_DEPS = [ + "@npm//react" +] + +TYPES_DEPS = [ + "@npm//@types/node", + "@npm//@types/jest", + "@npm//@types/react" +] + +jsts_transpiler( + name = "target_node", + srcs = SRCS, + build_pkg_name = package_name(), +) + +jsts_transpiler( + name = "target_web", + srcs = SRCS, + build_pkg_name = package_name(), + web = True, +) + +ts_config( + name = "tsconfig", + src = "tsconfig.json", + deps = [ + "//:tsconfig.base.json", + "//:tsconfig.bazel.json", + ], +) + +ts_project( + name = "tsc_types", + args = ['--pretty'], + srcs = SRCS, + deps = TYPES_DEPS, + declaration = True, + emit_declaration_only = True, + out_dir = "target_types", + root_dir = "src", + tsconfig = ":tsconfig", +) + +js_library( + name = PKG_DIRNAME, + srcs = NPM_MODULE_EXTRA_FILES, + deps = RUNTIME_DEPS + [":target_node", ":target_web"], + package_name = PKG_REQUIRE_NAME, + visibility = ["//visibility:public"], +) + +pkg_npm( + name = "npm_module", + deps = [":" + PKG_DIRNAME], +) + +filegroup( + name = "build", + srcs = [":npm_module"], + visibility = ["//visibility:public"], +) + +pkg_npm_types( + name = "npm_module_types", + srcs = SRCS, + deps = [":tsc_types"], + package_name = PKG_REQUIRE_NAME, + tsconfig = ":tsconfig", + visibility = ["//visibility:public"], +) + +filegroup( + name = "build_types", + srcs = [":npm_module_types"], + visibility = ["//visibility:public"], +) diff --git a/packages/core/base/core-base-common-internal/README.md b/packages/core/base/core-base-common-internal/README.md new file mode 100644 index 0000000000000..271ebc74e2078 --- /dev/null +++ b/packages/core/base/core-base-common-internal/README.md @@ -0,0 +1,3 @@ +# @kbn/core-base-common-internal + +Package containing base common internal types of Core diff --git a/packages/core/base/core-base-common-internal/jest.config.js b/packages/core/base/core-base-common-internal/jest.config.js new file mode 100644 index 0000000000000..b39be31c32e12 --- /dev/null +++ b/packages/core/base/core-base-common-internal/jest.config.js @@ -0,0 +1,13 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +module.exports = { + preset: '@kbn/test', + rootDir: '../../../..', + roots: ['/packages/core/base/core-base-common-internal'], +}; diff --git a/packages/core/base/core-base-common-internal/package.json b/packages/core/base/core-base-common-internal/package.json new file mode 100644 index 0000000000000..857750d637569 --- /dev/null +++ b/packages/core/base/core-base-common-internal/package.json @@ -0,0 +1,8 @@ +{ + "name": "@kbn/core-base-common-internal", + "private": true, + "version": "1.0.0", + "main": "./target_node/index.js", + "browser": "./target_web/index.js", + "license": "SSPL-1.0 OR Elastic License 2.0" +} diff --git a/src/core/types/core_service.ts b/packages/core/base/core-base-common-internal/src/core.ts similarity index 64% rename from src/core/types/core_service.ts rename to packages/core/base/core-base-common-internal/src/core.ts index b4fd922ba7391..ce3ae6c462dcc 100644 --- a/src/core/types/core_service.ts +++ b/packages/core/base/core-base-common-internal/src/core.ts @@ -7,8 +7,4 @@ */ /** @internal */ -export interface CoreService { - setup(...params: any[]): TSetup | Promise; - start(...params: any[]): TStart | Promise; - stop(): void | Promise; -} +export type CoreId = symbol; diff --git a/packages/core/base/core-base-common-internal/src/index.ts b/packages/core/base/core-base-common-internal/src/index.ts new file mode 100644 index 0000000000000..1088c62aed6fd --- /dev/null +++ b/packages/core/base/core-base-common-internal/src/index.ts @@ -0,0 +1,9 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +export type { CoreId } from './core'; diff --git a/packages/core/base/core-base-common-internal/tsconfig.json b/packages/core/base/core-base-common-internal/tsconfig.json new file mode 100644 index 0000000000000..dc20b641b1989 --- /dev/null +++ b/packages/core/base/core-base-common-internal/tsconfig.json @@ -0,0 +1,18 @@ +{ + "extends": "../../../../tsconfig.bazel.json", + "compilerOptions": { + "declaration": true, + "emitDeclarationOnly": true, + "outDir": "target_types", + "rootDir": "src", + "stripInternal": false, + "types": [ + "jest", + "node", + "react" + ] + }, + "include": [ + "src/**/*" + ] +} diff --git a/packages/core/base/core-base-common/BUILD.bazel b/packages/core/base/core-base-common/BUILD.bazel new file mode 100644 index 0000000000000..118e7dbd8f2be --- /dev/null +++ b/packages/core/base/core-base-common/BUILD.bazel @@ -0,0 +1,96 @@ +load("@npm//@bazel/typescript:index.bzl", "ts_config") +load("@build_bazel_rules_nodejs//:index.bzl", "js_library") +load("//src/dev/bazel:index.bzl", "jsts_transpiler", "pkg_npm", "pkg_npm_types", "ts_project") + +PKG_DIRNAME = "core-base-common" +PKG_REQUIRE_NAME = "@kbn/core-base-common" + +SOURCE_FILES = glob( + [ + "src/**/*.ts", + ], + exclude = [ + "**/*.test.*", + ], +) + +SRCS = SOURCE_FILES + +filegroup( + name = "srcs", + srcs = SRCS, +) + +NPM_MODULE_EXTRA_FILES = [ + "package.json", +] + +RUNTIME_DEPS = [ +] + +TYPES_DEPS = [ + "@npm//@types/node", + "@npm//@types/jest", + "//packages/kbn-config:npm_module_types", +] + +jsts_transpiler( + name = "target_node", + srcs = SRCS, + build_pkg_name = package_name(), +) + +ts_config( + name = "tsconfig", + src = "tsconfig.json", + deps = [ + "//:tsconfig.base.json", + "//:tsconfig.bazel.json", + ], +) + +ts_project( + name = "tsc_types", + args = ['--pretty'], + srcs = SRCS, + deps = TYPES_DEPS, + declaration = True, + emit_declaration_only = True, + out_dir = "target_types", + root_dir = "src", + tsconfig = ":tsconfig", +) + +js_library( + name = PKG_DIRNAME, + srcs = NPM_MODULE_EXTRA_FILES, + deps = RUNTIME_DEPS + [":target_node"], + package_name = PKG_REQUIRE_NAME, + visibility = ["//visibility:public"], +) + +pkg_npm( + name = "npm_module", + deps = [":" + PKG_DIRNAME], +) + +filegroup( + name = "build", + srcs = [":npm_module"], + visibility = ["//visibility:public"], +) + +pkg_npm_types( + name = "npm_module_types", + srcs = SRCS, + deps = [":tsc_types"], + package_name = PKG_REQUIRE_NAME, + tsconfig = ":tsconfig", + visibility = ["//visibility:public"], +) + +filegroup( + name = "build_types", + srcs = [":npm_module_types"], + visibility = ["//visibility:public"], +) diff --git a/packages/core/base/core-base-common/README.md b/packages/core/base/core-base-common/README.md new file mode 100644 index 0000000000000..0e9e6a165ef4c --- /dev/null +++ b/packages/core/base/core-base-common/README.md @@ -0,0 +1,3 @@ +# @kbn/core-base-common + +Package containing base common public types of Core diff --git a/packages/core/base/core-base-common/jest.config.js b/packages/core/base/core-base-common/jest.config.js new file mode 100644 index 0000000000000..a35adde4d64a0 --- /dev/null +++ b/packages/core/base/core-base-common/jest.config.js @@ -0,0 +1,13 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +module.exports = { + preset: '@kbn/test/jest_node', + rootDir: '../../../..', + roots: ['/packages/core/base/core-base-common'], +}; diff --git a/packages/core/base/core-base-common/package.json b/packages/core/base/core-base-common/package.json new file mode 100644 index 0000000000000..028c84c15d78a --- /dev/null +++ b/packages/core/base/core-base-common/package.json @@ -0,0 +1,7 @@ +{ + "name": "@kbn/core-base-common", + "private": true, + "version": "1.0.0", + "main": "./target_node/index.js", + "license": "SSPL-1.0 OR Elastic License 2.0" +} diff --git a/packages/core/base/core-base-common/src/index.ts b/packages/core/base/core-base-common/src/index.ts new file mode 100644 index 0000000000000..7524448e91c20 --- /dev/null +++ b/packages/core/base/core-base-common/src/index.ts @@ -0,0 +1,10 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +export type { PluginOpaqueId, PluginName, DiscoveredPlugin } from './plugins'; +export { PluginType } from './plugins'; diff --git a/packages/core/base/core-base-common/src/plugins.ts b/packages/core/base/core-base-common/src/plugins.ts new file mode 100644 index 0000000000000..61e44374d514d --- /dev/null +++ b/packages/core/base/core-base-common/src/plugins.ts @@ -0,0 +1,85 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { ConfigPath } from '@kbn/config'; + +/** + * Dedicated type for plugin name/id that is supposed to make Map/Set/Arrays + * that use it as a key or value more obvious. + * + * @public + */ +export type PluginName = string; + +/** @public */ +export type PluginOpaqueId = symbol; + +/** @public */ +export enum PluginType { + /** + * Preboot plugins are special-purpose plugins that only function during preboot stage. + */ + preboot = 'preboot', + /** + * Standard plugins are plugins that start to function as soon as Kibana is fully booted and are active until it shuts down. + */ + standard = 'standard', +} + +/** + * Small container object used to expose information about discovered plugins that may + * or may not have been started. + * @public + */ +export interface DiscoveredPlugin { + /** + * Identifier of the plugin. + */ + readonly id: PluginName; + + /** + * Root configuration path used by the plugin, defaults to "id" in snake_case format. + */ + readonly configPath: ConfigPath; + + /** + * Type of the plugin, defaults to `standard`. + */ + readonly type: PluginType; + + /** + * An optional list of the other plugins that **must be** installed and enabled + * for this plugin to function properly. + */ + readonly requiredPlugins: readonly PluginName[]; + + /** + * An optional list of the other plugins that if installed and enabled **may be** + * leveraged by this plugin for some additional functionality but otherwise are + * not required for this plugin to work properly. + */ + readonly optionalPlugins: readonly PluginName[]; + + /** + * List of plugin ids that this plugin's UI code imports modules from that are + * not in `requiredPlugins`. + * + * @remarks + * The plugins listed here will be loaded in the browser, even if the plugin is + * disabled. Required by `@kbn/optimizer` to support cross-plugin imports. + * "core" and plugins already listed in `requiredPlugins` do not need to be + * duplicated here. + */ + readonly requiredBundles: readonly PluginName[]; + + /** + * Specifies whether this plugin - and its required dependencies - will be enabled for anonymous pages (login page, status page when + * configured, etc.) Default is false. + */ + readonly enabledOnAnonymousPages?: boolean; +} diff --git a/packages/core/base/core-base-common/tsconfig.json b/packages/core/base/core-base-common/tsconfig.json new file mode 100644 index 0000000000000..97a3644c3c703 --- /dev/null +++ b/packages/core/base/core-base-common/tsconfig.json @@ -0,0 +1,17 @@ +{ + "extends": "../../../../tsconfig.bazel.json", + "compilerOptions": { + "declaration": true, + "emitDeclarationOnly": true, + "outDir": "target_types", + "rootDir": "src", + "stripInternal": false, + "types": [ + "jest", + "node" + ] + }, + "include": [ + "src/**/*" + ] +} diff --git a/packages/core/base/core-base-server-internal/BUILD.bazel b/packages/core/base/core-base-server-internal/BUILD.bazel new file mode 100644 index 0000000000000..6fb2083bed017 --- /dev/null +++ b/packages/core/base/core-base-server-internal/BUILD.bazel @@ -0,0 +1,99 @@ +load("@npm//@bazel/typescript:index.bzl", "ts_config") +load("@build_bazel_rules_nodejs//:index.bzl", "js_library") +load("//src/dev/bazel:index.bzl", "jsts_transpiler", "pkg_npm", "pkg_npm_types", "ts_project") + +PKG_DIRNAME = "core-base-server-internal" +PKG_REQUIRE_NAME = "@kbn/core-base-server-internal" + +SOURCE_FILES = glob( + [ + "src/**/*.ts", + ], + exclude = [ + "**/*.test.*", + ], +) + +SRCS = SOURCE_FILES + +filegroup( + name = "srcs", + srcs = SRCS, +) + +NPM_MODULE_EXTRA_FILES = [ + "package.json", +] + +RUNTIME_DEPS = [ +] + +TYPES_DEPS = [ + "@npm//@types/node", + "@npm//@types/jest", + "//packages/kbn-config:npm_module_types", + "//packages/kbn-logging:npm_module_types", + "//packages/kbn-utility-types:npm_module_types", + "//packages/core/base/core-base-common-internal:npm_module_types", +] + +jsts_transpiler( + name = "target_node", + srcs = SRCS, + build_pkg_name = package_name(), +) + +ts_config( + name = "tsconfig", + src = "tsconfig.json", + deps = [ + "//:tsconfig.base.json", + "//:tsconfig.bazel.json", + ], +) + +ts_project( + name = "tsc_types", + args = ['--pretty'], + srcs = SRCS, + deps = TYPES_DEPS, + declaration = True, + emit_declaration_only = True, + out_dir = "target_types", + root_dir = "src", + tsconfig = ":tsconfig", +) + +js_library( + name = PKG_DIRNAME, + srcs = NPM_MODULE_EXTRA_FILES, + deps = RUNTIME_DEPS + [":target_node"], + package_name = PKG_REQUIRE_NAME, + visibility = ["//visibility:public"], +) + +pkg_npm( + name = "npm_module", + deps = [":" + PKG_DIRNAME], +) + +filegroup( + name = "build", + srcs = [":npm_module"], + visibility = ["//visibility:public"], +) + +pkg_npm_types( + name = "npm_module_types", + srcs = SRCS, + deps = [":tsc_types"], + package_name = PKG_REQUIRE_NAME, + tsconfig = ":tsconfig", + visibility = ["//visibility:public"], +) + +filegroup( + name = "build_types", + srcs = [":npm_module_types"], + visibility = ["//visibility:public"], +) diff --git a/packages/core/base/core-base-server-internal/README.md b/packages/core/base/core-base-server-internal/README.md new file mode 100644 index 0000000000000..101d4958d2a7c --- /dev/null +++ b/packages/core/base/core-base-server-internal/README.md @@ -0,0 +1,3 @@ +# @kbn/core-base-server-internal + +Package containing base server internal types of Core diff --git a/packages/core/base/core-base-server-internal/jest.config.js b/packages/core/base/core-base-server-internal/jest.config.js new file mode 100644 index 0000000000000..10ded5390cab5 --- /dev/null +++ b/packages/core/base/core-base-server-internal/jest.config.js @@ -0,0 +1,13 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +module.exports = { + preset: '@kbn/test/jest_node', + rootDir: '../../../..', + roots: ['/packages/core/base/core-base-server-internal'], +}; diff --git a/packages/core/base/core-base-server-internal/package.json b/packages/core/base/core-base-server-internal/package.json new file mode 100644 index 0000000000000..faa96a804973e --- /dev/null +++ b/packages/core/base/core-base-server-internal/package.json @@ -0,0 +1,7 @@ +{ + "name": "@kbn/core-base-server-internal", + "private": true, + "version": "1.0.0", + "main": "./target_node/index.js", + "license": "SSPL-1.0 OR Elastic License 2.0" +} diff --git a/src/core/server/core_context.ts b/packages/core/base/core-base-server-internal/src/core_context.ts similarity index 78% rename from src/core/server/core_context.ts rename to packages/core/base/core-base-server-internal/src/core_context.ts index 7b015d3c9fdab..f8caa35b0720f 100644 --- a/src/core/server/core_context.ts +++ b/packages/core/base/core-base-server-internal/src/core_context.ts @@ -6,11 +6,9 @@ * Side Public License, v 1. */ -import { LoggerFactory } from '@kbn/logging'; -import { IConfigService, Env } from './config'; - -/** @internal */ -export type CoreId = symbol; +import type { IConfigService, Env } from '@kbn/config'; +import type { LoggerFactory } from '@kbn/logging'; +import type { CoreId } from '@kbn/core-base-common-internal'; /** * Groups all main Kibana's core modules/systems/services that are consumed in a diff --git a/packages/core/base/core-base-server-internal/src/index.ts b/packages/core/base/core-base-server-internal/src/index.ts new file mode 100644 index 0000000000000..2cfa86145ce7b --- /dev/null +++ b/packages/core/base/core-base-server-internal/src/index.ts @@ -0,0 +1,10 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +export type { CoreContext } from './core_context'; +export type { CoreService, ServiceConfigDescriptor } from './services'; diff --git a/packages/core/base/core-base-server-internal/src/services.ts b/packages/core/base/core-base-server-internal/src/services.ts new file mode 100644 index 0000000000000..67cb8d2ef7f8c --- /dev/null +++ b/packages/core/base/core-base-server-internal/src/services.ts @@ -0,0 +1,39 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { MaybePromise } from '@kbn/utility-types'; +import type { ConfigDeprecationProvider } from '@kbn/config'; +import type { Type } from '@kbn/config-schema'; + +/** + * Descriptor of a core service configuration + * + * @internal + */ +export interface ServiceConfigDescriptor { + path: string; + /** + * Schema to use to validate the configuration. + */ + schema: Type; + /** + * Provider for the {@link ConfigDeprecation} to apply to the plugin configuration. + */ + deprecations?: ConfigDeprecationProvider; +} + +/** + * Base interface that all core service should implement + * + * @internal + */ +export interface CoreService { + setup(...params: any[]): MaybePromise; + start(...params: any[]): MaybePromise; + stop(): MaybePromise; +} diff --git a/packages/core/base/core-base-server-internal/tsconfig.json b/packages/core/base/core-base-server-internal/tsconfig.json new file mode 100644 index 0000000000000..97a3644c3c703 --- /dev/null +++ b/packages/core/base/core-base-server-internal/tsconfig.json @@ -0,0 +1,17 @@ +{ + "extends": "../../../../tsconfig.bazel.json", + "compilerOptions": { + "declaration": true, + "emitDeclarationOnly": true, + "outDir": "target_types", + "rootDir": "src", + "stripInternal": false, + "types": [ + "jest", + "node" + ] + }, + "include": [ + "src/**/*" + ] +} diff --git a/packages/core/injected-metadata/core-injected-metadata-browser-internal/BUILD.bazel b/packages/core/injected-metadata/core-injected-metadata-browser-internal/BUILD.bazel new file mode 100644 index 0000000000000..a83771bb84744 --- /dev/null +++ b/packages/core/injected-metadata/core-injected-metadata-browser-internal/BUILD.bazel @@ -0,0 +1,109 @@ +load("@npm//@bazel/typescript:index.bzl", "ts_config") +load("@build_bazel_rules_nodejs//:index.bzl", "js_library") +load("//src/dev/bazel:index.bzl", "jsts_transpiler", "pkg_npm", "pkg_npm_types", "ts_project") + +PKG_DIRNAME = "core-injected-metadata-browser-internal" +PKG_REQUIRE_NAME = "@kbn/core-injected-metadata-browser-internal" + +SOURCE_FILES = glob( + [ + "src/**/*.ts", + "src/**/*.tsx", + ], + exclude = [ + "**/*.test.*", + ], +) + +SRCS = SOURCE_FILES + +filegroup( + name = "srcs", + srcs = SRCS, +) + +NPM_MODULE_EXTRA_FILES = [ + "package.json", +] + +RUNTIME_DEPS = [ + "@npm//lodash", + "//packages/kbn-std", +] + +TYPES_DEPS = [ + "@npm//@types/node", + "@npm//@types/jest", + "@npm//@types/lodash", + "//packages/kbn-std:npm_module_types", + "//packages/core/base/core-base-common:npm_module_types", + "//packages/core/injected-metadata/core-injected-metadata-common-internal:npm_module_types", +] + +jsts_transpiler( + name = "target_node", + srcs = SRCS, + build_pkg_name = package_name(), +) + +jsts_transpiler( + name = "target_web", + srcs = SRCS, + build_pkg_name = package_name(), + web = True, +) + +ts_config( + name = "tsconfig", + src = "tsconfig.json", + deps = [ + "//:tsconfig.base.json", + "//:tsconfig.bazel.json", + ], +) + +ts_project( + name = "tsc_types", + args = ['--pretty'], + srcs = SRCS, + deps = TYPES_DEPS, + declaration = True, + emit_declaration_only = True, + out_dir = "target_types", + root_dir = "src", + tsconfig = ":tsconfig", +) + +js_library( + name = PKG_DIRNAME, + srcs = NPM_MODULE_EXTRA_FILES, + deps = RUNTIME_DEPS + [":target_node", ":target_web"], + package_name = PKG_REQUIRE_NAME, + visibility = ["//visibility:public"], +) + +pkg_npm( + name = "npm_module", + deps = [":" + PKG_DIRNAME], +) + +filegroup( + name = "build", + srcs = [":npm_module"], + visibility = ["//visibility:public"], +) + +pkg_npm_types( + name = "npm_module_types", + srcs = SRCS, + deps = [":tsc_types"], + package_name = PKG_REQUIRE_NAME, + tsconfig = ":tsconfig", + visibility = ["//visibility:public"], +) + +filegroup( + name = "build_types", + srcs = [":npm_module_types"], + visibility = ["//visibility:public"], +) diff --git a/packages/core/injected-metadata/core-injected-metadata-browser-internal/README.md b/packages/core/injected-metadata/core-injected-metadata-browser-internal/README.md new file mode 100644 index 0000000000000..9945379eceebf --- /dev/null +++ b/packages/core/injected-metadata/core-injected-metadata-browser-internal/README.md @@ -0,0 +1,3 @@ +# @kbn/core-injected-metadata-browser-internal + +This package contains the implementation and internal types of the browser-side injectedMedata service. diff --git a/packages/core/injected-metadata/core-injected-metadata-browser-internal/jest.config.js b/packages/core/injected-metadata/core-injected-metadata-browser-internal/jest.config.js new file mode 100644 index 0000000000000..0d957a7a3d5a2 --- /dev/null +++ b/packages/core/injected-metadata/core-injected-metadata-browser-internal/jest.config.js @@ -0,0 +1,13 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +module.exports = { + preset: '@kbn/test', + rootDir: '../../../..', + roots: ['/packages/core/injected-metadata/core-injected-metadata-browser-internal'], +}; diff --git a/packages/core/injected-metadata/core-injected-metadata-browser-internal/package.json b/packages/core/injected-metadata/core-injected-metadata-browser-internal/package.json new file mode 100644 index 0000000000000..3fcac1793fcad --- /dev/null +++ b/packages/core/injected-metadata/core-injected-metadata-browser-internal/package.json @@ -0,0 +1,8 @@ +{ + "name": "@kbn/core-injected-metadata-browser-internal", + "private": true, + "version": "1.0.0", + "main": "./target_node/index.js", + "browser": "./target_web/index.js", + "license": "SSPL-1.0 OR Elastic License 2.0" +} diff --git a/src/core/public/injected_metadata/index.ts b/packages/core/injected-metadata/core-injected-metadata-browser-internal/src/index.ts similarity index 80% rename from src/core/public/injected_metadata/index.ts rename to packages/core/injected-metadata/core-injected-metadata-browser-internal/src/index.ts index b2c4413ed5ff3..2fa0580e742f5 100644 --- a/src/core/public/injected_metadata/index.ts +++ b/packages/core/injected-metadata/core-injected-metadata-browser-internal/src/index.ts @@ -5,10 +5,10 @@ * in compliance with, at your election, the Elastic License 2.0 or the Server * Side Public License, v 1. */ + export { InjectedMetadataService } from './injected_metadata_service'; export type { + InternalInjectedMetadataSetup, + InternalInjectedMetadataStart, InjectedMetadataParams, - InjectedMetadataSetup, - InjectedMetadataStart, - InjectedPluginMetadata, -} from './injected_metadata_service'; +} from './types'; diff --git a/src/core/public/injected_metadata/injected_metadata_service.test.ts b/packages/core/injected-metadata/core-injected-metadata-browser-internal/src/injected_metadata_service.test.ts similarity index 99% rename from src/core/public/injected_metadata/injected_metadata_service.test.ts rename to packages/core/injected-metadata/core-injected-metadata-browser-internal/src/injected_metadata_service.test.ts index ba0e2470d7f26..00e73a8a6fe8c 100644 --- a/src/core/public/injected_metadata/injected_metadata_service.test.ts +++ b/packages/core/injected-metadata/core-injected-metadata-browser-internal/src/injected_metadata_service.test.ts @@ -6,7 +6,7 @@ * Side Public License, v 1. */ -import { DiscoveredPlugin } from '../../server'; +import type { DiscoveredPlugin } from '@kbn/core-base-common'; import { InjectedMetadataService } from './injected_metadata_service'; describe('setup.getElasticsearchInfo()', () => { diff --git a/packages/core/injected-metadata/core-injected-metadata-browser-internal/src/injected_metadata_service.ts b/packages/core/injected-metadata/core-injected-metadata-browser-internal/src/injected_metadata_service.ts new file mode 100644 index 0000000000000..9c6ef8dea4982 --- /dev/null +++ b/packages/core/injected-metadata/core-injected-metadata-browser-internal/src/injected_metadata_service.ts @@ -0,0 +1,100 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { get } from 'lodash'; +import { deepFreeze } from '@kbn/std'; +import type { InjectedMetadata } from '@kbn/core-injected-metadata-common-internal'; +import type { + InjectedMetadataParams, + InternalInjectedMetadataSetup, + InternalInjectedMetadataStart, +} from './types'; + +/** + * Provides access to the metadata that is injected by the + * server into the page. The metadata is actually defined + * in the entry file for the bundle containing the new platform + * and is read from the DOM in most cases. + * + * @internal + */ +export class InjectedMetadataService { + private state: InjectedMetadata; + + constructor(private readonly params: InjectedMetadataParams) { + this.state = deepFreeze(this.params.injectedMetadata) as InjectedMetadata; + } + + public start(): InternalInjectedMetadataSetup { + return this.setup(); + } + + public setup(): InternalInjectedMetadataStart { + return { + getBasePath: () => { + return this.state.basePath; + }, + + getServerBasePath: () => { + return this.state.serverBasePath; + }, + + getPublicBaseUrl: () => { + return this.state.publicBaseUrl; + }, + + getAnonymousStatusPage: () => { + return this.state.anonymousStatusPage; + }, + + getKibanaVersion: () => { + return this.state.version; + }, + + getCspConfig: () => { + return this.state.csp; + }, + + getExternalUrlConfig: () => { + return this.state.externalUrl; + }, + + getPlugins: () => { + return this.state.uiPlugins; + }, + + getLegacyMetadata: () => { + return this.state.legacyMetadata; + }, + + getInjectedVar: (name: string, defaultValue?: any): unknown => { + return get(this.state.vars, name, defaultValue); + }, + + getInjectedVars: () => { + return this.state.vars; + }, + + getKibanaBuildNumber: () => { + return this.state.buildNumber; + }, + + getKibanaBranch: () => { + return this.state.branch; + }, + + getTheme: () => { + return this.state.theme; + }, + + getElasticsearchInfo: () => { + return this.state.clusterInfo; + }, + }; + } +} diff --git a/packages/core/injected-metadata/core-injected-metadata-browser-internal/src/types.ts b/packages/core/injected-metadata/core-injected-metadata-browser-internal/src/types.ts new file mode 100644 index 0000000000000..679673bd2b0d4 --- /dev/null +++ b/packages/core/injected-metadata/core-injected-metadata-browser-internal/src/types.ts @@ -0,0 +1,63 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { ThemeVersion } from '@kbn/ui-shared-deps-npm'; +import { + InjectedMetadata, + InjectedMetadataClusterInfo, + InjectedMetadataExternalUrlPolicy, + InjectedMetadataPlugin, +} from '@kbn/core-injected-metadata-common-internal'; + +/** @internal */ +export interface InjectedMetadataParams { + injectedMetadata: InjectedMetadata; +} + +/** + * Provides access to the metadata injected by the server into the page + * + * @internal + */ +export interface InternalInjectedMetadataSetup { + getBasePath: () => string; + getServerBasePath: () => string; + getPublicBaseUrl: () => string | undefined; + getKibanaBuildNumber: () => number; + getKibanaBranch: () => string; + getKibanaVersion: () => string; + getCspConfig: () => { + warnLegacyBrowsers: boolean; + }; + getExternalUrlConfig: () => { + policy: InjectedMetadataExternalUrlPolicy[]; + }; + getTheme: () => { + darkMode: boolean; + version: ThemeVersion; + }; + getElasticsearchInfo: () => InjectedMetadataClusterInfo; + /** + * An array of frontend plugins in topological order. + */ + getPlugins: () => InjectedMetadataPlugin[]; + getAnonymousStatusPage: () => boolean; + getLegacyMetadata: () => { + uiSettings: { + defaults: Record; + user?: Record | undefined; + }; + }; + getInjectedVar: (name: string, defaultValue?: any) => unknown; + getInjectedVars: () => { + [key: string]: unknown; + }; +} + +/** @internal */ +export type InternalInjectedMetadataStart = InternalInjectedMetadataSetup; diff --git a/packages/core/injected-metadata/core-injected-metadata-browser-internal/tsconfig.json b/packages/core/injected-metadata/core-injected-metadata-browser-internal/tsconfig.json new file mode 100644 index 0000000000000..dc20b641b1989 --- /dev/null +++ b/packages/core/injected-metadata/core-injected-metadata-browser-internal/tsconfig.json @@ -0,0 +1,18 @@ +{ + "extends": "../../../../tsconfig.bazel.json", + "compilerOptions": { + "declaration": true, + "emitDeclarationOnly": true, + "outDir": "target_types", + "rootDir": "src", + "stripInternal": false, + "types": [ + "jest", + "node", + "react" + ] + }, + "include": [ + "src/**/*" + ] +} diff --git a/packages/core/injected-metadata/core-injected-metadata-browser-mocks/BUILD.bazel b/packages/core/injected-metadata/core-injected-metadata-browser-mocks/BUILD.bazel new file mode 100644 index 0000000000000..f4788208b932d --- /dev/null +++ b/packages/core/injected-metadata/core-injected-metadata-browser-mocks/BUILD.bazel @@ -0,0 +1,105 @@ +load("@npm//@bazel/typescript:index.bzl", "ts_config") +load("@build_bazel_rules_nodejs//:index.bzl", "js_library") +load("//src/dev/bazel:index.bzl", "jsts_transpiler", "pkg_npm", "pkg_npm_types", "ts_project") + +PKG_DIRNAME = "core-injected-metadata-browser-mocks" +PKG_REQUIRE_NAME = "@kbn/core-injected-metadata-browser-mocks" + +SOURCE_FILES = glob( + [ + "src/**/*.ts", + "src/**/*.tsx", + ], + exclude = [ + "**/*.test.*", + ], +) + +SRCS = SOURCE_FILES + +filegroup( + name = "srcs", + srcs = SRCS, +) + +NPM_MODULE_EXTRA_FILES = [ + "package.json", +] + +RUNTIME_DEPS = [ +] + +TYPES_DEPS = [ + "@npm//@types/node", + "@npm//@types/jest", + "//packages/core/injected-metadata/core-injected-metadata-browser-internal:npm_module_types", + +] + +jsts_transpiler( + name = "target_node", + srcs = SRCS, + build_pkg_name = package_name(), +) + +jsts_transpiler( + name = "target_web", + srcs = SRCS, + build_pkg_name = package_name(), + web = True, +) + +ts_config( + name = "tsconfig", + src = "tsconfig.json", + deps = [ + "//:tsconfig.base.json", + "//:tsconfig.bazel.json", + ], +) + +ts_project( + name = "tsc_types", + args = ['--pretty'], + srcs = SRCS, + deps = TYPES_DEPS, + declaration = True, + emit_declaration_only = True, + out_dir = "target_types", + root_dir = "src", + tsconfig = ":tsconfig", +) + +js_library( + name = PKG_DIRNAME, + srcs = NPM_MODULE_EXTRA_FILES, + deps = RUNTIME_DEPS + [":target_node", ":target_web"], + package_name = PKG_REQUIRE_NAME, + visibility = ["//visibility:public"], +) + +pkg_npm( + name = "npm_module", + deps = [":" + PKG_DIRNAME], +) + +filegroup( + name = "build", + srcs = [":npm_module"], + visibility = ["//visibility:public"], +) + +pkg_npm_types( + name = "npm_module_types", + srcs = SRCS, + deps = [":tsc_types"], + package_name = PKG_REQUIRE_NAME, + tsconfig = ":tsconfig", + visibility = ["//visibility:public"], +) + +filegroup( + name = "build_types", + srcs = [":npm_module_types"], + visibility = ["//visibility:public"], +) diff --git a/packages/core/injected-metadata/core-injected-metadata-browser-mocks/README.md b/packages/core/injected-metadata/core-injected-metadata-browser-mocks/README.md new file mode 100644 index 0000000000000..2fa98ee0d1ca0 --- /dev/null +++ b/packages/core/injected-metadata/core-injected-metadata-browser-mocks/README.md @@ -0,0 +1,3 @@ +# @kbn/core-injected-metadata-browser-mocks + +This package contains the public and internal mocks for the injected medata service. diff --git a/packages/core/injected-metadata/core-injected-metadata-browser-mocks/jest.config.js b/packages/core/injected-metadata/core-injected-metadata-browser-mocks/jest.config.js new file mode 100644 index 0000000000000..6ffcfd6c82a74 --- /dev/null +++ b/packages/core/injected-metadata/core-injected-metadata-browser-mocks/jest.config.js @@ -0,0 +1,13 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +module.exports = { + preset: '@kbn/test', + rootDir: '../../../..', + roots: ['/packages/core/injected-metadata/core-injected-metadata-browser-mocks'], +}; diff --git a/packages/core/injected-metadata/core-injected-metadata-browser-mocks/package.json b/packages/core/injected-metadata/core-injected-metadata-browser-mocks/package.json new file mode 100644 index 0000000000000..e8a4db9f1e47c --- /dev/null +++ b/packages/core/injected-metadata/core-injected-metadata-browser-mocks/package.json @@ -0,0 +1,8 @@ +{ + "name": "@kbn/core-injected-metadata-browser-mocks", + "private": true, + "version": "1.0.0", + "main": "./target_node/index.js", + "browser": "./target_web/index.js", + "license": "SSPL-1.0 OR Elastic License 2.0" +} diff --git a/packages/core/injected-metadata/core-injected-metadata-browser-mocks/src/index.ts b/packages/core/injected-metadata/core-injected-metadata-browser-mocks/src/index.ts new file mode 100644 index 0000000000000..c10e5837765f8 --- /dev/null +++ b/packages/core/injected-metadata/core-injected-metadata-browser-mocks/src/index.ts @@ -0,0 +1,9 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +export { injectedMetadataServiceMock } from './injected_metadata_service.mock'; diff --git a/src/core/public/injected_metadata/injected_metadata_service.mock.ts b/packages/core/injected-metadata/core-injected-metadata-browser-mocks/src/injected_metadata_service.mock.ts similarity index 91% rename from src/core/public/injected_metadata/injected_metadata_service.mock.ts rename to packages/core/injected-metadata/core-injected-metadata-browser-mocks/src/injected_metadata_service.mock.ts index 83903942df53d..ca510df64c1e2 100644 --- a/src/core/public/injected_metadata/injected_metadata_service.mock.ts +++ b/packages/core/injected-metadata/core-injected-metadata-browser-mocks/src/injected_metadata_service.mock.ts @@ -7,10 +7,13 @@ */ import type { PublicMethodsOf } from '@kbn/utility-types'; -import { InjectedMetadataService, InjectedMetadataSetup } from './injected_metadata_service'; +import type { + InjectedMetadataService, + InternalInjectedMetadataSetup, +} from '@kbn/core-injected-metadata-browser-internal'; const createSetupContractMock = () => { - const setupContract: jest.Mocked = { + const setupContract: jest.Mocked = { getBasePath: jest.fn(), getServerBasePath: jest.fn(), getPublicBaseUrl: jest.fn(), diff --git a/packages/core/injected-metadata/core-injected-metadata-browser-mocks/tsconfig.json b/packages/core/injected-metadata/core-injected-metadata-browser-mocks/tsconfig.json new file mode 100644 index 0000000000000..dc20b641b1989 --- /dev/null +++ b/packages/core/injected-metadata/core-injected-metadata-browser-mocks/tsconfig.json @@ -0,0 +1,18 @@ +{ + "extends": "../../../../tsconfig.bazel.json", + "compilerOptions": { + "declaration": true, + "emitDeclarationOnly": true, + "outDir": "target_types", + "rootDir": "src", + "stripInternal": false, + "types": [ + "jest", + "node", + "react" + ] + }, + "include": [ + "src/**/*" + ] +} diff --git a/packages/core/injected-metadata/core-injected-metadata-browser/BUILD.bazel b/packages/core/injected-metadata/core-injected-metadata-browser/BUILD.bazel new file mode 100644 index 0000000000000..ace4ba52be72b --- /dev/null +++ b/packages/core/injected-metadata/core-injected-metadata-browser/BUILD.bazel @@ -0,0 +1,124 @@ +load("@npm//@bazel/typescript:index.bzl", "ts_config") +load("@build_bazel_rules_nodejs//:index.bzl", "js_library") +load("//src/dev/bazel:index.bzl", "jsts_transpiler", "pkg_npm", "pkg_npm_types", "ts_project") + +PKG_DIRNAME = "core-injected-metadata-browser" +PKG_REQUIRE_NAME = "@kbn/core-injected-metadata-browser" + +SOURCE_FILES = glob( + [ + "src/**/*.ts", + "src/**/*.tsx", + ], + exclude = [ + "**/*.test.*", + ], +) + +SRCS = SOURCE_FILES + +filegroup( + name = "srcs", + srcs = SRCS, +) + +NPM_MODULE_EXTRA_FILES = [ + "package.json", +] + +# In this array place runtime dependencies, including other packages and NPM packages +# which must be available for this code to run. +# +# To reference other packages use: +# "//repo/relative/path/to/package" +# eg. "//packages/kbn-utils" +# +# To reference a NPM package use: +# "@npm//name-of-package" +# eg. "@npm//lodash" +RUNTIME_DEPS = [ + "@npm//react" +] + +# In this array place dependencies necessary to build the types, which will include the +# :npm_module_types target of other packages and packages from NPM, including @types/* +# packages. +# +# To reference the types for another package use: +# "//repo/relative/path/to/package:npm_module_types" +# eg. "//packages/kbn-utils:npm_module_types" +# +# References to NPM packages work the same as RUNTIME_DEPS +TYPES_DEPS = [ + "@npm//@types/node", + "@npm//@types/jest", + "@npm//@types/react" +] + +jsts_transpiler( + name = "target_node", + srcs = SRCS, + build_pkg_name = package_name(), +) + +jsts_transpiler( + name = "target_web", + srcs = SRCS, + build_pkg_name = package_name(), + web = True, +) + +ts_config( + name = "tsconfig", + src = "tsconfig.json", + deps = [ + "//:tsconfig.base.json", + "//:tsconfig.bazel.json", + ], +) + +ts_project( + name = "tsc_types", + args = ['--pretty'], + srcs = SRCS, + deps = TYPES_DEPS, + declaration = True, + emit_declaration_only = True, + out_dir = "target_types", + root_dir = "src", + tsconfig = ":tsconfig", +) + +js_library( + name = PKG_DIRNAME, + srcs = NPM_MODULE_EXTRA_FILES, + deps = RUNTIME_DEPS + [":target_node", ":target_web"], + package_name = PKG_REQUIRE_NAME, + visibility = ["//visibility:public"], +) + +pkg_npm( + name = "npm_module", + deps = [":" + PKG_DIRNAME], +) + +filegroup( + name = "build", + srcs = [":npm_module"], + visibility = ["//visibility:public"], +) + +pkg_npm_types( + name = "npm_module_types", + srcs = SRCS, + deps = [":tsc_types"], + package_name = PKG_REQUIRE_NAME, + tsconfig = ":tsconfig", + visibility = ["//visibility:public"], +) + +filegroup( + name = "build_types", + srcs = [":npm_module_types"], + visibility = ["//visibility:public"], +) diff --git a/packages/core/injected-metadata/core-injected-metadata-browser/README.md b/packages/core/injected-metadata/core-injected-metadata-browser/README.md new file mode 100644 index 0000000000000..1008081481fd0 --- /dev/null +++ b/packages/core/injected-metadata/core-injected-metadata-browser/README.md @@ -0,0 +1,3 @@ +# @kbn/core-injected-metadata-browser + +This package contains the browser public types for the injectedMedata core service. diff --git a/packages/core/injected-metadata/core-injected-metadata-browser/jest.config.js b/packages/core/injected-metadata/core-injected-metadata-browser/jest.config.js new file mode 100644 index 0000000000000..211b9925953bd --- /dev/null +++ b/packages/core/injected-metadata/core-injected-metadata-browser/jest.config.js @@ -0,0 +1,13 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +module.exports = { + preset: '@kbn/test', + rootDir: '../../../..', + roots: ['/packages/core/injected-metadata/core-injected-metadata-browser'], +}; diff --git a/packages/core/injected-metadata/core-injected-metadata-browser/package.json b/packages/core/injected-metadata/core-injected-metadata-browser/package.json new file mode 100644 index 0000000000000..df5f22e5bf0d9 --- /dev/null +++ b/packages/core/injected-metadata/core-injected-metadata-browser/package.json @@ -0,0 +1,8 @@ +{ + "name": "@kbn/core-injected-metadata-browser", + "private": true, + "version": "1.0.0", + "main": "./target_node/index.js", + "browser": "./target_web/index.js", + "license": "SSPL-1.0 OR Elastic License 2.0" +} diff --git a/packages/core/injected-metadata/core-injected-metadata-browser/src/contract.ts b/packages/core/injected-metadata/core-injected-metadata-browser/src/contract.ts new file mode 100644 index 0000000000000..ac06c4e75310a --- /dev/null +++ b/packages/core/injected-metadata/core-injected-metadata-browser/src/contract.ts @@ -0,0 +1,31 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * exposed temporarily until https://github.com/elastic/kibana/issues/41990 done + * use *only* to retrieve config values. There is no way to set injected values + * in the new platform. + * @public + * @deprecated + * @removeBy 8.8.0 + */ +export interface InjectedMetadataSetup { + getInjectedVar: (name: string, defaultValue?: any) => unknown; +} + +/** + * exposed temporarily until https://github.com/elastic/kibana/issues/41990 done + * use *only* to retrieve config values. There is no way to set injected values + * in the new platform. + * @public + * @deprecated + * @removeBy 8.8.0 + */ +export interface InjectedMetadataStart { + getInjectedVar: (name: string, defaultValue?: any) => unknown; +} diff --git a/packages/core/injected-metadata/core-injected-metadata-browser/src/index.ts b/packages/core/injected-metadata/core-injected-metadata-browser/src/index.ts new file mode 100644 index 0000000000000..827fb634bb932 --- /dev/null +++ b/packages/core/injected-metadata/core-injected-metadata-browser/src/index.ts @@ -0,0 +1,9 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +export type { InjectedMetadataStart, InjectedMetadataSetup } from './contract'; diff --git a/packages/core/injected-metadata/core-injected-metadata-browser/tsconfig.json b/packages/core/injected-metadata/core-injected-metadata-browser/tsconfig.json new file mode 100644 index 0000000000000..dc20b641b1989 --- /dev/null +++ b/packages/core/injected-metadata/core-injected-metadata-browser/tsconfig.json @@ -0,0 +1,18 @@ +{ + "extends": "../../../../tsconfig.bazel.json", + "compilerOptions": { + "declaration": true, + "emitDeclarationOnly": true, + "outDir": "target_types", + "rootDir": "src", + "stripInternal": false, + "types": [ + "jest", + "node", + "react" + ] + }, + "include": [ + "src/**/*" + ] +} diff --git a/packages/core/injected-metadata/core-injected-metadata-common-internal/BUILD.bazel b/packages/core/injected-metadata/core-injected-metadata-common-internal/BUILD.bazel new file mode 100644 index 0000000000000..49bf853fea8de --- /dev/null +++ b/packages/core/injected-metadata/core-injected-metadata-common-internal/BUILD.bazel @@ -0,0 +1,108 @@ +load("@npm//@bazel/typescript:index.bzl", "ts_config") +load("@build_bazel_rules_nodejs//:index.bzl", "js_library") +load("//src/dev/bazel:index.bzl", "jsts_transpiler", "pkg_npm", "pkg_npm_types", "ts_project") + +PKG_DIRNAME = "core-injected-metadata-common-internal" +PKG_REQUIRE_NAME = "@kbn/core-injected-metadata-common-internal" + +SOURCE_FILES = glob( + [ + "src/**/*.ts", + "src/**/*.tsx", + ], + exclude = [ + "**/*.test.*", + ], +) + +SRCS = SOURCE_FILES + +filegroup( + name = "srcs", + srcs = SRCS, +) + +NPM_MODULE_EXTRA_FILES = [ + "package.json", +] + +RUNTIME_DEPS = [ + "@npm//react" +] + +TYPES_DEPS = [ + "@npm//@types/node", + "@npm//@types/jest", + "@npm//@types/react", + "//packages/kbn-config:npm_module_types", + "//packages/kbn-ui-shared-deps-npm:npm_module_types", + "//packages/core/base/core-base-common:npm_module_types", +] + +jsts_transpiler( + name = "target_node", + srcs = SRCS, + build_pkg_name = package_name(), +) + +jsts_transpiler( + name = "target_web", + srcs = SRCS, + build_pkg_name = package_name(), + web = True, +) + +ts_config( + name = "tsconfig", + src = "tsconfig.json", + deps = [ + "//:tsconfig.base.json", + "//:tsconfig.bazel.json", + ], +) + +ts_project( + name = "tsc_types", + args = ['--pretty'], + srcs = SRCS, + deps = TYPES_DEPS, + declaration = True, + emit_declaration_only = True, + out_dir = "target_types", + root_dir = "src", + tsconfig = ":tsconfig", +) + +js_library( + name = PKG_DIRNAME, + srcs = NPM_MODULE_EXTRA_FILES, + deps = RUNTIME_DEPS + [":target_node", ":target_web"], + package_name = PKG_REQUIRE_NAME, + visibility = ["//visibility:public"], +) + +pkg_npm( + name = "npm_module", + deps = [":" + PKG_DIRNAME], +) + +filegroup( + name = "build", + srcs = [":npm_module"], + visibility = ["//visibility:public"], +) + +pkg_npm_types( + name = "npm_module_types", + srcs = SRCS, + deps = [":tsc_types"], + package_name = PKG_REQUIRE_NAME, + tsconfig = ":tsconfig", + visibility = ["//visibility:public"], +) + +filegroup( + name = "build_types", + srcs = [":npm_module_types"], + visibility = ["//visibility:public"], +) diff --git a/packages/core/injected-metadata/core-injected-metadata-common-internal/README.md b/packages/core/injected-metadata/core-injected-metadata-common-internal/README.md new file mode 100644 index 0000000000000..1066ac932eaa8 --- /dev/null +++ b/packages/core/injected-metadata/core-injected-metadata-common-internal/README.md @@ -0,0 +1,3 @@ +# @kbn/core-injected-metadata-common-internal + +This package contains the common internal types for the injectedMedata core domain. diff --git a/packages/core/injected-metadata/core-injected-metadata-common-internal/jest.config.js b/packages/core/injected-metadata/core-injected-metadata-common-internal/jest.config.js new file mode 100644 index 0000000000000..86617de17a2d9 --- /dev/null +++ b/packages/core/injected-metadata/core-injected-metadata-common-internal/jest.config.js @@ -0,0 +1,13 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +module.exports = { + preset: '@kbn/test', + rootDir: '../../../..', + roots: ['/packages/core/injected-metadata/core-injected-metadata-common-internal'], +}; diff --git a/packages/core/injected-metadata/core-injected-metadata-common-internal/package.json b/packages/core/injected-metadata/core-injected-metadata-common-internal/package.json new file mode 100644 index 0000000000000..0d1d3b9866f0c --- /dev/null +++ b/packages/core/injected-metadata/core-injected-metadata-common-internal/package.json @@ -0,0 +1,8 @@ +{ + "name": "@kbn/core-injected-metadata-common-internal", + "private": true, + "version": "1.0.0", + "main": "./target_node/index.js", + "browser": "./target_web/index.js", + "license": "SSPL-1.0 OR Elastic License 2.0" +} diff --git a/packages/core/injected-metadata/core-injected-metadata-common-internal/src/index.ts b/packages/core/injected-metadata/core-injected-metadata-common-internal/src/index.ts new file mode 100644 index 0000000000000..7809f1b4ec38a --- /dev/null +++ b/packages/core/injected-metadata/core-injected-metadata-common-internal/src/index.ts @@ -0,0 +1,14 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +export type { + InjectedMetadata, + InjectedMetadataClusterInfo, + InjectedMetadataExternalUrlPolicy, + InjectedMetadataPlugin, +} from './types'; diff --git a/packages/core/injected-metadata/core-injected-metadata-common-internal/src/types.ts b/packages/core/injected-metadata/core-injected-metadata-common-internal/src/types.ts new file mode 100644 index 0000000000000..77d7640f2ea17 --- /dev/null +++ b/packages/core/injected-metadata/core-injected-metadata-common-internal/src/types.ts @@ -0,0 +1,69 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import type { PluginName, DiscoveredPlugin } from '@kbn/core-base-common'; +import type { ThemeVersion } from '@kbn/ui-shared-deps-npm'; +import type { EnvironmentMode, PackageInfo } from '@kbn/config'; + +/** @internal */ +export interface InjectedMetadataClusterInfo { + cluster_uuid?: string; + cluster_name?: string; + cluster_version?: string; +} + +/** @internal */ +export interface InjectedMetadataPlugin { + id: PluginName; + plugin: DiscoveredPlugin; + config?: { + [key: string]: unknown; + }; +} + +/** @internal */ +export interface InjectedMetadataExternalUrlPolicy { + allow: boolean; + host?: string; + protocol?: string; +} + +/** @internal */ +export interface InjectedMetadata { + version: string; + buildNumber: number; + branch: string; + basePath: string; + serverBasePath: string; + publicBaseUrl?: string; + clusterInfo: InjectedMetadataClusterInfo; + env: { + mode: EnvironmentMode; + packageInfo: PackageInfo; + }; + anonymousStatusPage: boolean; + i18n: { + translationsUrl: string; + }; + theme: { + darkMode: boolean; + version: ThemeVersion; + }; + csp: { + warnLegacyBrowsers: boolean; + }; + externalUrl: { policy: InjectedMetadataExternalUrlPolicy[] }; + vars: Record; + uiPlugins: InjectedMetadataPlugin[]; + legacyMetadata: { + uiSettings: { + defaults: Record; // unreferencing UiSettingsParams here + user: Record; // unreferencing UserProvidedValues here + }; + }; +} diff --git a/packages/core/injected-metadata/core-injected-metadata-common-internal/tsconfig.json b/packages/core/injected-metadata/core-injected-metadata-common-internal/tsconfig.json new file mode 100644 index 0000000000000..dc20b641b1989 --- /dev/null +++ b/packages/core/injected-metadata/core-injected-metadata-common-internal/tsconfig.json @@ -0,0 +1,18 @@ +{ + "extends": "../../../../tsconfig.bazel.json", + "compilerOptions": { + "declaration": true, + "emitDeclarationOnly": true, + "outDir": "target_types", + "rootDir": "src", + "stripInternal": false, + "types": [ + "jest", + "node", + "react" + ] + }, + "include": [ + "src/**/*" + ] +} diff --git a/packages/elastic-apm-synthtrace/README.md b/packages/elastic-apm-synthtrace/README.md index c34083f199375..24ce3b055abd0 100644 --- a/packages/elastic-apm-synthtrace/README.md +++ b/packages/elastic-apm-synthtrace/README.md @@ -91,12 +91,19 @@ const esEvents = toElasticsearchOutput([ ### CLI -Via the CLI, you can upload scenarios, either using a fixed time range or continuously generating data. Some examples are available in in `src/scripts/examples`. Here's an example for live data: +Via the CLI, you can run scenarios, either using a fixed time range or continuously generating data. Scenarios are available in [`packages/elastic-apm-synthtrace/src/scenarios/`](https://github.com/elastic/kibana/blob/main/packages/elastic-apm-synthtrace/src/scenarios/). -`$ node packages/elastic-apm-synthtrace/src/scripts/run packages/elastic-apm-synthtrace/src/scripts/examples/01_simple_trace.ts --target=http://admin:changeme@localhost:9200 --live` +For live data ingestion: + +``` +node scripts/synthtrace simple_trace.ts --target=http://admin:changeme@localhost:9200 --live +``` For a fixed time window: -`$ node packages/elastic-apm-synthtrace/src/scripts/run packages/elastic-apm-synthtrace/src/scripts/examples/01_simple_trace.ts --target=http://admin:changeme@localhost:9200 --from=now-24h --to=now` + +``` +node scripts/synthtrace simple_trace.ts --target=http://admin:changeme@localhost:9200 --from=now-24h --to=now +``` The script will try to automatically find bootstrapped APM indices. **If these indices do not exist, the script will exit with an error. It will not bootstrap the indices itself.** @@ -104,24 +111,26 @@ The following options are supported: ### Connection options -| Option | Type | Default | Description | -|------------------------|-----------|:-----------|--------------------------------------------------------------------------------------------------------------------------------------------| -| `--target` | [string] | | Elasticsearch target | -| `--kibana` | [string] | | Kibana target, used to bootstrap datastreams/mappings/templates/settings | -| `--cloudId` | [string] | | Provide connection information and will force APM on the cloud to migrate to run as a Fleet integration | -| `--local` | [boolean] | | Shortcut during development, assumes `yarn es snapshot` and `yarn start` are running | -| `--username` | [string] | `elastic` | Basic authentication username | -| `--password` | [string] | `changeme` | Basic authentication password | - -Note: -- If you only specify `--target` Synthtrace can not automatically setup APM. -- If you specify both `--target` and `--kibana` the tool will automatically attempt to install the appropriate APM package +| Option | Type | Default | Description | +| ------------ | --------- | :--------- | ------------------------------------------------------------------------------------------------------- | +| `--target` | [string] | | Elasticsearch target | +| `--kibana` | [string] | | Kibana target, used to bootstrap datastreams/mappings/templates/settings | +| `--cloudId` | [string] | | Provide connection information and will force APM on the cloud to migrate to run as a Fleet integration | +| `--local` | [boolean] | | Shortcut during development, assumes `yarn es snapshot` and `yarn start` are running | +| `--username` | [string] | `elastic` | Basic authentication username | +| `--password` | [string] | `changeme` | Basic authentication password | + +Note: + +- If you only specify `--target` Synthtrace can not automatically setup APM. +- If you specify both `--target` and `--kibana` the tool will automatically attempt to install the appropriate APM package - For Cloud its easiest to specify `--cloudId` as it will unpack the ES/Kibana targets and migrate cloud over to managed APM automatically. - If you only specify `--kibana` and it's using a cloud hostname a very naive `--target` to Elasticsearch will be inferred. ### Scenario options + | Option | Type | Default | Description | -|------------------------|-----------|:--------|--------------------------------------------------------------------------------------------------------------------------------------------| +| ---------------------- | --------- | :------ | ------------------------------------------------------------------------------------------------------------------------------------------ | | `--from` | [date] | `now()` | The start of the time window | | `--to` | [date] | | The end of the time window | | `--maxDocs` | [number] | | The maximum number of documents we are allowed to generate | @@ -132,17 +141,17 @@ Note: | `--forceLegacyIndices` | [boolean] | `false` | Force writing to legacy indices | Note: + - The default `--to` is `15m` unless `--maxDocs` is specified in which case `--to` is calculated based on the scenario's TPM. - You can combine `--from` `--maxDocs` and `--to` with `--live` to back-fill some data. - ### Setup options -| Option | Type | Default | Description | -|-------------------|-----------|:-----------|---------------------------------------------------------------------------------------------------------| -| `--numShards` | [number] | | Updates the component templates to update the number of primary shards, requires cloudId to be provided | -| `--clean` | [boolean] | `false` | Clean APM data before indexing new data | -| `--workers` | [number] | | Amount of Node.js worker threads | -| `--logLevel` | [enum] | `info` | Log level | -| `--gcpRepository` | [string] | | Allows you to register a GCP repository in :[:base_path] format | -| `-p` | [string] | | Specify multiple sets of streamaggregators to be included in the StreamProcessor | +| Option | Type | Default | Description | +| ----------------- | --------- | :------ | ------------------------------------------------------------------------------------------------------- | +| `--numShards` | [number] | | Updates the component templates to update the number of primary shards, requires cloudId to be provided | +| `--clean` | [boolean] | `false` | Clean APM data before indexing new data | +| `--workers` | [number] | | Amount of Node.js worker threads | +| `--logLevel` | [enum] | `info` | Log level | +| `--gcpRepository` | [string] | | Allows you to register a GCP repository in :[:base_path] format | +| `-p` | [string] | | Specify multiple sets of streamaggregators to be included in the StreamProcessor | diff --git a/packages/elastic-apm-synthtrace/src/scripts/run.js b/packages/elastic-apm-synthtrace/bin/synthtrace old mode 100644 new mode 100755 similarity index 90% rename from packages/elastic-apm-synthtrace/src/scripts/run.js rename to packages/elastic-apm-synthtrace/bin/synthtrace index e6da98c40004d..3502b3566c654 --- a/packages/elastic-apm-synthtrace/src/scripts/run.js +++ b/packages/elastic-apm-synthtrace/bin/synthtrace @@ -1,3 +1,5 @@ +#!/usr/bin/env node + /* * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one * or more contributor license agreements. Licensed under the Elastic License @@ -12,4 +14,4 @@ require('@babel/register')({ presets: [['@babel/preset-env', { targets: { node: 'current' } }], '@babel/preset-typescript'], }); -require('./run_synthtrace'); +require('../src/scripts/run_synthtrace'); diff --git a/packages/elastic-apm-synthtrace/src/lib/apm/client/apm_synthtrace_kibana_client.ts b/packages/elastic-apm-synthtrace/src/lib/apm/client/apm_synthtrace_kibana_client.ts index fbe9cab323fa8..1dbd2ad40e712 100644 --- a/packages/elastic-apm-synthtrace/src/lib/apm/client/apm_synthtrace_kibana_client.ts +++ b/packages/elastic-apm-synthtrace/src/lib/apm/client/apm_synthtrace_kibana_client.ts @@ -83,9 +83,13 @@ export class ApmSynthtraceKibanaClient { }, body: '{"force":true}', }); + const responseJson = await response.json(); + if (responseJson.statusCode) { - throw Error(`unable to install apm package ${packageVersion}`); + throw Error( + `unable to install apm package ${packageVersion}. Received status code: ${responseJson.statusCode} and message: ${responseJson.message}` + ); } if (responseJson.items) { this.logger.info(`Installed apm package ${packageVersion}`); diff --git a/packages/elastic-apm-synthtrace/src/scripts/examples/04_agent_config.ts b/packages/elastic-apm-synthtrace/src/scenarios/agent_config.ts similarity index 76% rename from packages/elastic-apm-synthtrace/src/scripts/examples/04_agent_config.ts rename to packages/elastic-apm-synthtrace/src/scenarios/agent_config.ts index ec6d57eba4b61..767890ee493b0 100644 --- a/packages/elastic-apm-synthtrace/src/scripts/examples/04_agent_config.ts +++ b/packages/elastic-apm-synthtrace/src/scenarios/agent_config.ts @@ -6,11 +6,11 @@ * Side Public License, v 1. */ -import { observer, timerange } from '../..'; -import { Scenario } from '../scenario'; -import { getLogger } from '../utils/get_common_services'; -import { RunOptions } from '../utils/parse_run_cli_flags'; -import { AgentConfigFields } from '../../lib/agent_config/agent_config_fields'; +import { observer, timerange } from '..'; +import { Scenario } from '../scripts/scenario'; +import { getLogger } from '../scripts/utils/get_common_services'; +import { RunOptions } from '../scripts/utils/parse_run_cli_flags'; +import { AgentConfigFields } from '../lib/agent_config/agent_config_fields'; const scenario: Scenario = async (runOptions: RunOptions) => { const logger = getLogger(runOptions); diff --git a/packages/elastic-apm-synthtrace/src/scripts/examples/02_kibana_stats.ts b/packages/elastic-apm-synthtrace/src/scenarios/kibana_stats.ts similarity index 79% rename from packages/elastic-apm-synthtrace/src/scripts/examples/02_kibana_stats.ts rename to packages/elastic-apm-synthtrace/src/scenarios/kibana_stats.ts index 6d31ae188be40..d1ea567599391 100644 --- a/packages/elastic-apm-synthtrace/src/scripts/examples/02_kibana_stats.ts +++ b/packages/elastic-apm-synthtrace/src/scenarios/kibana_stats.ts @@ -6,11 +6,11 @@ * Side Public License, v 1. */ -import { stackMonitoring, timerange } from '../..'; -import { Scenario } from '../scenario'; -import { getLogger } from '../utils/get_common_services'; -import { RunOptions } from '../utils/parse_run_cli_flags'; -import { ApmFields } from '../../lib/apm/apm_fields'; +import { stackMonitoring, timerange } from '..'; +import { Scenario } from '../scripts/scenario'; +import { getLogger } from '../scripts/utils/get_common_services'; +import { RunOptions } from '../scripts/utils/parse_run_cli_flags'; +import { ApmFields } from '../lib/apm/apm_fields'; const scenario: Scenario = async (runOptions: RunOptions) => { const logger = getLogger(runOptions); diff --git a/packages/elastic-apm-synthtrace/src/scripts/scenarios/01_low_throughput.ts b/packages/elastic-apm-synthtrace/src/scenarios/low_throughput.ts similarity index 90% rename from packages/elastic-apm-synthtrace/src/scripts/scenarios/01_low_throughput.ts rename to packages/elastic-apm-synthtrace/src/scenarios/low_throughput.ts index 91412a45a7508..c522bebe0ae8f 100644 --- a/packages/elastic-apm-synthtrace/src/scripts/scenarios/01_low_throughput.ts +++ b/packages/elastic-apm-synthtrace/src/scenarios/low_throughput.ts @@ -7,12 +7,12 @@ */ import { random } from 'lodash'; -import { apm, timerange } from '../..'; -import { ApmFields } from '../../lib/apm/apm_fields'; -import { Instance } from '../../lib/apm/instance'; -import { Scenario } from '../scenario'; -import { getLogger } from '../utils/get_common_services'; -import { RunOptions } from '../utils/parse_run_cli_flags'; +import { apm, timerange } from '..'; +import { ApmFields } from '../lib/apm/apm_fields'; +import { Instance } from '../lib/apm/instance'; +import { Scenario } from '../scripts/scenario'; +import { getLogger } from '../scripts/utils/get_common_services'; +import { RunOptions } from '../scripts/utils/parse_run_cli_flags'; const scenario: Scenario = async (runOptions: RunOptions) => { const logger = getLogger(runOptions); diff --git a/packages/elastic-apm-synthtrace/src/scripts/scenarios/01_many_services.ts b/packages/elastic-apm-synthtrace/src/scenarios/many_services.ts similarity index 90% rename from packages/elastic-apm-synthtrace/src/scripts/scenarios/01_many_services.ts rename to packages/elastic-apm-synthtrace/src/scenarios/many_services.ts index 728884c1a8df5..daeabf83e79b4 100644 --- a/packages/elastic-apm-synthtrace/src/scripts/scenarios/01_many_services.ts +++ b/packages/elastic-apm-synthtrace/src/scenarios/many_services.ts @@ -7,12 +7,12 @@ */ import { random } from 'lodash'; -import { apm, timerange } from '../..'; -import { Instance } from '../../lib/apm/instance'; -import { Scenario } from '../scenario'; -import { getLogger } from '../utils/get_common_services'; -import { RunOptions } from '../utils/parse_run_cli_flags'; -import { ApmFields } from '../../lib/apm/apm_fields'; +import { apm, timerange } from '..'; +import { Instance } from '../lib/apm/instance'; +import { Scenario } from '../scripts/scenario'; +import { getLogger } from '../scripts/utils/get_common_services'; +import { RunOptions } from '../scripts/utils/parse_run_cli_flags'; +import { ApmFields } from '../lib/apm/apm_fields'; const scenario: Scenario = async (runOptions: RunOptions) => { const logger = getLogger(runOptions); diff --git a/packages/elastic-apm-synthtrace/src/scripts/examples/03_monitoring.ts b/packages/elastic-apm-synthtrace/src/scenarios/monitoring.ts similarity index 82% rename from packages/elastic-apm-synthtrace/src/scripts/examples/03_monitoring.ts rename to packages/elastic-apm-synthtrace/src/scenarios/monitoring.ts index bcc1dfb50def2..467be4143078d 100644 --- a/packages/elastic-apm-synthtrace/src/scripts/examples/03_monitoring.ts +++ b/packages/elastic-apm-synthtrace/src/scenarios/monitoring.ts @@ -8,11 +8,11 @@ // Run with: node ./src/scripts/run ./src/scripts/examples/03_monitoring.ts --target=http://elastic:changeme@localhost:9200 -import { stackMonitoring, timerange } from '../..'; -import { Scenario } from '../scenario'; -import { getLogger } from '../utils/get_common_services'; -import { RunOptions } from '../utils/parse_run_cli_flags'; -import { StackMonitoringFields } from '../../lib/stack_monitoring/stack_monitoring_fields'; +import { stackMonitoring, timerange } from '..'; +import { Scenario } from '../scripts/scenario'; +import { getLogger } from '../scripts/utils/get_common_services'; +import { RunOptions } from '../scripts/utils/parse_run_cli_flags'; +import { StackMonitoringFields } from '../lib/stack_monitoring/stack_monitoring_fields'; const scenario: Scenario = async (runOptions: RunOptions) => { const logger = getLogger(runOptions); diff --git a/packages/elastic-apm-synthtrace/src/scripts/examples/01_simple_trace.ts b/packages/elastic-apm-synthtrace/src/scenarios/simple_trace.ts similarity index 89% rename from packages/elastic-apm-synthtrace/src/scripts/examples/01_simple_trace.ts rename to packages/elastic-apm-synthtrace/src/scenarios/simple_trace.ts index b90bf7bb69c05..97a9aacfeda96 100644 --- a/packages/elastic-apm-synthtrace/src/scripts/examples/01_simple_trace.ts +++ b/packages/elastic-apm-synthtrace/src/scenarios/simple_trace.ts @@ -6,12 +6,12 @@ * Side Public License, v 1. */ -import { apm, timerange } from '../..'; -import { ApmFields } from '../../lib/apm/apm_fields'; -import { Instance } from '../../lib/apm/instance'; -import { Scenario } from '../scenario'; -import { getLogger } from '../utils/get_common_services'; -import { RunOptions } from '../utils/parse_run_cli_flags'; +import { apm, timerange } from '..'; +import { ApmFields } from '../lib/apm/apm_fields'; +import { Instance } from '../lib/apm/instance'; +import { Scenario } from '../scripts/scenario'; +import { getLogger } from '../scripts/utils/get_common_services'; +import { RunOptions } from '../scripts/utils/parse_run_cli_flags'; const scenario: Scenario = async (runOptions: RunOptions) => { const logger = getLogger(runOptions); diff --git a/packages/elastic-apm-synthtrace/src/scripts/examples/04_span_links.ts b/packages/elastic-apm-synthtrace/src/scenarios/span_links.ts similarity index 96% rename from packages/elastic-apm-synthtrace/src/scripts/examples/04_span_links.ts rename to packages/elastic-apm-synthtrace/src/scenarios/span_links.ts index f73a3b4f4fb49..c8f8b680a6de6 100644 --- a/packages/elastic-apm-synthtrace/src/scripts/examples/04_span_links.ts +++ b/packages/elastic-apm-synthtrace/src/scenarios/span_links.ts @@ -7,9 +7,9 @@ */ import { compact, shuffle } from 'lodash'; -import { apm, ApmFields, EntityArrayIterable, timerange } from '../..'; -import { generateLongId, generateShortId } from '../../lib/utils/generate_id'; -import { Scenario } from '../scenario'; +import { apm, ApmFields, EntityArrayIterable, timerange } from '..'; +import { generateLongId, generateShortId } from '../lib/utils/generate_id'; +import { Scenario } from '../scripts/scenario'; function generateExternalSpanLinks() { // randomly creates external span links 0 - 10 diff --git a/packages/elastic-apm-synthtrace/src/scripts/utils/get_scenario.ts b/packages/elastic-apm-synthtrace/src/scripts/utils/get_scenario.ts index 3f929a62179d8..8dd5eecf78dee 100644 --- a/packages/elastic-apm-synthtrace/src/scripts/utils/get_scenario.ts +++ b/packages/elastic-apm-synthtrace/src/scripts/utils/get_scenario.ts @@ -5,20 +5,18 @@ * in compliance with, at your election, the Elastic License 2.0 or the Server * Side Public License, v 1. */ -import Path from 'path'; + import { Logger } from '../../lib/utils/create_logger'; import { Scenario } from '../scenario'; import { Fields } from '../../lib/entity'; -export function getScenario({ file, logger }: { file: unknown; logger: Logger }) { - const location = Path.join(process.cwd(), String(file)); - - logger.debug(`Loading scenario from ${location}`); +export function getScenario({ file, logger }: { file: string; logger: Logger }) { + logger.debug(`Loading scenario from ${file}`); - return import(location).then((m) => { + return import(file).then((m) => { if (m && m.default) { return m.default; } - throw new Error(`Could not find scenario at ${location}`); + throw new Error(`Could not import scenario at ${file}`); }) as Promise>; } diff --git a/packages/elastic-apm-synthtrace/src/scripts/utils/parse_run_cli_flags.ts b/packages/elastic-apm-synthtrace/src/scripts/utils/parse_run_cli_flags.ts index f6c4005ba3fe1..27f59747bca4c 100644 --- a/packages/elastic-apm-synthtrace/src/scripts/utils/parse_run_cli_flags.ts +++ b/packages/elastic-apm-synthtrace/src/scripts/utils/parse_run_cli_flags.ts @@ -6,14 +6,37 @@ * Side Public License, v 1. */ +import { existsSync } from 'fs'; import { pick } from 'lodash'; +import path from 'path'; import { LogLevel } from '../../lib/utils/create_logger'; import { RunCliFlags } from '../run_synthtrace'; -export function parseRunCliFlags(flags: RunCliFlags) { - const { file, _, logLevel } = flags; +function getParsedFile(flags: RunCliFlags) { + const { file, _ } = flags; + const parsedFile = (file || _[0]) as string; + + if (!parsedFile) { + throw new Error('Please specify a scenario to run'); + } - const parsedFile = String(file || _[0]); + const result = [ + path.resolve(parsedFile), + path.resolve(`${parsedFile}.ts`), + path.resolve(__dirname, '../../scenarios', parsedFile), + path.resolve(__dirname, '../../scenarios', `${parsedFile}.ts`), + ].find((filepath) => existsSync(filepath)); + + if (result) { + return result; + } + + throw new Error(`Could not find scenario file: "${parsedFile}"`); +} + +export function parseRunCliFlags(flags: RunCliFlags) { + const { logLevel } = flags; + const parsedFile = getParsedFile(flags); let parsedLogLevel = LogLevel.info; switch (logLevel) { diff --git a/packages/kbn-bazel-packages/src/bazel_package_dirs.ts b/packages/kbn-bazel-packages/src/bazel_package_dirs.ts index 80248646f1e6f..a23b54317454a 100644 --- a/packages/kbn-bazel-packages/src/bazel_package_dirs.ts +++ b/packages/kbn-bazel-packages/src/bazel_package_dirs.ts @@ -25,6 +25,7 @@ export const BAZEL_PACKAGE_DIRS = [ 'packages/analytics', 'packages/analytics/shippers', 'packages/analytics/shippers/elastic_v3', + 'packages/core/*', ]; /** diff --git a/packages/kbn-cli-dev-mode/BUILD.bazel b/packages/kbn-cli-dev-mode/BUILD.bazel index 4b45e34b7e9fa..e672f98d5b81d 100644 --- a/packages/kbn-cli-dev-mode/BUILD.bazel +++ b/packages/kbn-cli-dev-mode/BUILD.bazel @@ -21,7 +21,6 @@ filegroup( NPM_MODULE_EXTRA_FILES = [ "package.json", - "README.md" ] RUNTIME_DEPS = [ diff --git a/packages/kbn-cli-dev-mode/README.md b/packages/kbn-cli-dev-mode/README.md deleted file mode 100644 index 6ce41249674ce..0000000000000 --- a/packages/kbn-cli-dev-mode/README.md +++ /dev/null @@ -1,37 +0,0 @@ -# `CliDevMode` - -A class that manages the alternate behavior of the Kibana cli when using the `--dev` flag. This mode provides several useful features in a single CLI for a nice developer experience: - - - automatic server restarts when code changes - - runs the `@kbn/optimizer` to build browser bundles - - runs a base path proxy which helps developers test that they are writing code which is compatible with custom basePath settings while they work - - pauses requests when the server or optimizer are not ready to handle requests so that when users load Kibana in the browser it's always using the code as it exists on disk - -To accomplish this, and to make it easier to test, the `CliDevMode` class manages several objects: - -## `Watcher` - -The `Watcher` manages a [chokidar](https://github.com/paulmillr/chokidar) instance to watch the server files, logs about file changes observed and provides an observable to the `DevServer` via its `serverShouldRestart$()` method. - -## `DevServer` - -The `DevServer` object is responsible for everything related to running and restarting the Kibana server process: - - listens to restart notifications from the `Watcher` object, sending `SIGKILL` to the existing server and launching a new instance with the current code - - writes the stdout/stderr logs from the Kibana server to the parent process - - gracefully kills the process if the SIGINT signal is sent - - kills the server if the SIGTERM signal is sent, process.exit() is used, a second SIGINT is sent, or the gracefull shutdown times out - - proxies SIGHUP notifications to the child process, though the core team is working on migrating this functionality to the KP and making this unnecessary - -## `Optimizer` - -The `Optimizer` object manages a `@kbn/optimizer` instance, adapting its configuration and logging to the data available to the CLI. - -## `BasePathProxyServer` - -This proxy injects a random three character base path in the URL that Kibana is served from to help ensure that Kibana features -are written to adapt to custom base path configurations from users. - -The basePathProxy also has another important job, ensuring that requests don't fail because the server is restarting and -that the browser receives front-end assets containing all saved changes. We accomplish this by observing the ready state of -the `Optimizer` and `DevServer` objects and pausing all requests through the proxy until both objects report that -they aren't building/restarting based on recently saved changes. \ No newline at end of file diff --git a/packages/kbn-cli-dev-mode/README.mdx b/packages/kbn-cli-dev-mode/README.mdx new file mode 100644 index 0000000000000..487dd19d7433e --- /dev/null +++ b/packages/kbn-cli-dev-mode/README.mdx @@ -0,0 +1,57 @@ +--- +id: kibDevDocsOpsCliDevMode +slug: /kibana-dev-docs/ops/cli-dev-mode +title: "@kbn/cli-dev-mode" +description: A package to manage the Kibana cli behavior when in development +date: 2022-05-24 +tags: ['kibana', 'dev', 'contributor', 'operations', 'cli', 'dev', 'mode'] +--- + +This package exposes a function that manages the alternate behavior of the Kibana cli when using +the `--dev` flag. This mode provides several useful features in a single CLI for a nice developer +experience: + + - automatic server restarts when code changes + - runs the `@kbn/optimizer` to build browser bundles + - runs a base path proxy which helps developers test that they are writing code which is +compatible with custom basePath settings while they work + - pauses requests when the server or optimizer are not ready to handle requests so that when +users load Kibana in the browser it's always using the code as it exists on disk + +To accomplish this, and to make it easier to test, the `CliDevMode` class manages the following +objects. + +## `Watcher` + +The `Watcher` manages a [chokidar](https://github.com/paulmillr/chokidar) instance to watch the +server files, logs about file changes observed and provides an observable to the `DevServer` via +its `serverShouldRestart$()` method. + +## `DevServer` + +The `DevServer` object is responsible for everything related to running and restarting the Kibana +server process: + - listens to restart notifications from the `Watcher` object, sending `SIGKILL` to the existing +server and launching a new instance with the current code + - writes the stdout/stderr logs from the Kibana server to the parent process + - gracefully kills the process if the SIGINT signal is sent + - kills the server if the SIGTERM signal is sent, process.exit() is used, a second SIGINT is +sent, or the graceful shutdown times out + - proxies SIGHUP notifications to the child process, though the core team is working on +migrating this functionality to the KP and making this unnecessary + +## `Optimizer` + +The `Optimizer` object manages a `@kbn/optimizer` instance, adapting its configuration and +logging to the data available to the CLI. + +## `BasePathProxyServer` + +This proxy injects a random three character base path in the URL that Kibana is served from to +help ensure that Kibana features are written to adapt to custom base path configurations from users. + +The basePathProxy also has another important job, ensuring that requests don't fail because the +server is restarting and that the browser receives front-end assets containing all saved +changes. We accomplish this by observing the ready state of the `Optimizer` and `DevServer` +objects and pausing all requests through the proxy until both objects report that they +aren't building/restarting based on recently saved changes. \ No newline at end of file diff --git a/packages/kbn-cli-dev-mode/src/get_server_watch_paths.test.ts b/packages/kbn-cli-dev-mode/src/get_server_watch_paths.test.ts index 1b0cbc8cf2c08..1b1072837b740 100644 --- a/packages/kbn-cli-dev-mode/src/get_server_watch_paths.test.ts +++ b/packages/kbn-cli-dev-mode/src/get_server_watch_paths.test.ts @@ -77,6 +77,7 @@ it('produces the right watch and ignore list', () => { /x-pack/plugins/security_solution/scripts, /x-pack/plugins/security_solution/server/lib/detection_engine/scripts, /x-pack/plugins/synthetics/e2e, + /x-pack/plugins/ux/e2e, ] `); }); diff --git a/packages/kbn-cli-dev-mode/src/get_server_watch_paths.ts b/packages/kbn-cli-dev-mode/src/get_server_watch_paths.ts index 59650039bcf27..8e8dbc8bf0fc2 100644 --- a/packages/kbn-cli-dev-mode/src/get_server_watch_paths.ts +++ b/packages/kbn-cli-dev-mode/src/get_server_watch_paths.ts @@ -67,6 +67,7 @@ export function getServerWatchPaths({ pluginPaths, pluginScanDirs }: Options) { fromRoot('x-pack/plugins/security_solution/scripts'), fromRoot('x-pack/plugins/security_solution/server/lib/detection_engine/scripts'), fromRoot('x-pack/plugins/synthetics/e2e'), + fromRoot('x-pack/plugins/ux/e2e'), ]; return { diff --git a/packages/kbn-config-mocks/BUILD.bazel b/packages/kbn-config-mocks/BUILD.bazel new file mode 100644 index 0000000000000..c49c71da31c90 --- /dev/null +++ b/packages/kbn-config-mocks/BUILD.bazel @@ -0,0 +1,98 @@ +load("@npm//@bazel/typescript:index.bzl", "ts_config") +load("@build_bazel_rules_nodejs//:index.bzl", "js_library") +load("//src/dev/bazel:index.bzl", "jsts_transpiler", "pkg_npm", "pkg_npm_types", "ts_project") + +PKG_DIRNAME = "kbn-config-mocks" +PKG_REQUIRE_NAME = "@kbn/config-mocks" + +SOURCE_FILES = glob( + [ + "src/**/*.ts", + ], + exclude = [ + "**/*.test.*", + ], +) + +SRCS = SOURCE_FILES + +filegroup( + name = "srcs", + srcs = SRCS, +) + +NPM_MODULE_EXTRA_FILES = [ + "package.json", +] + +RUNTIME_DEPS = [ + "//packages/kbn-config", +] + +TYPES_DEPS = [ + "@npm//rxjs", + "@npm//@types/node", + "@npm//@types/jest", + "//packages/kbn-config:npm_module_types", +] + +jsts_transpiler( + name = "target_node", + srcs = SRCS, + build_pkg_name = package_name(), +) + +ts_config( + name = "tsconfig", + src = "tsconfig.json", + deps = [ + "//:tsconfig.base.json", + "//:tsconfig.bazel.json", + ], +) + +ts_project( + name = "tsc_types", + args = ['--pretty'], + srcs = SRCS, + deps = TYPES_DEPS, + declaration = True, + emit_declaration_only = True, + out_dir = "target_types", + root_dir = "src", + tsconfig = ":tsconfig", +) + +js_library( + name = PKG_DIRNAME, + srcs = NPM_MODULE_EXTRA_FILES, + deps = RUNTIME_DEPS + [":target_node"], + package_name = PKG_REQUIRE_NAME, + visibility = ["//visibility:public"], +) + +pkg_npm( + name = "npm_module", + deps = [":" + PKG_DIRNAME], +) + +filegroup( + name = "build", + srcs = [":npm_module"], + visibility = ["//visibility:public"], +) + +pkg_npm_types( + name = "npm_module_types", + srcs = SRCS, + deps = [":tsc_types"], + package_name = PKG_REQUIRE_NAME, + tsconfig = ":tsconfig", + visibility = ["//visibility:public"], +) + +filegroup( + name = "build_types", + srcs = [":npm_module_types"], + visibility = ["//visibility:public"], +) diff --git a/packages/kbn-config-mocks/README.md b/packages/kbn-config-mocks/README.md new file mode 100644 index 0000000000000..093174a624095 --- /dev/null +++ b/packages/kbn-config-mocks/README.md @@ -0,0 +1,3 @@ +# @kbn/config-mocks + +This package contains the mocks related to the `@kbn/config` package diff --git a/packages/kbn-config-mocks/jest.config.js b/packages/kbn-config-mocks/jest.config.js new file mode 100644 index 0000000000000..61c570a042f99 --- /dev/null +++ b/packages/kbn-config-mocks/jest.config.js @@ -0,0 +1,13 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +module.exports = { + preset: '@kbn/test/jest_node', + rootDir: '../..', + roots: ['/packages/kbn-config-mocks'], +}; diff --git a/packages/kbn-config-mocks/package.json b/packages/kbn-config-mocks/package.json new file mode 100644 index 0000000000000..4f94fcbdb579d --- /dev/null +++ b/packages/kbn-config-mocks/package.json @@ -0,0 +1,7 @@ +{ + "name": "@kbn/config-mocks", + "private": true, + "version": "1.0.0", + "main": "./target_node/index.js", + "license": "SSPL-1.0 OR Elastic License 2.0" +} diff --git a/packages/kbn-config/src/config.mock.ts b/packages/kbn-config-mocks/src/config.mock.ts similarity index 86% rename from packages/kbn-config/src/config.mock.ts rename to packages/kbn-config-mocks/src/config.mock.ts index b28645c8f4132..b8ae4a531038c 100644 --- a/packages/kbn-config/src/config.mock.ts +++ b/packages/kbn-config-mocks/src/config.mock.ts @@ -6,9 +6,9 @@ * Side Public License, v 1. */ -import { Config } from './config'; +import type { Config } from '@kbn/config'; -type ConfigMock = jest.Mocked; +export type ConfigMock = jest.Mocked; const createConfigMock = (): ConfigMock => ({ has: jest.fn(), diff --git a/packages/kbn-config/src/config_service.mock.ts b/packages/kbn-config-mocks/src/config_service.mock.ts similarity index 89% rename from packages/kbn-config/src/config_service.mock.ts rename to packages/kbn-config-mocks/src/config_service.mock.ts index 68adbba7c0ed7..09a282965eba8 100644 --- a/packages/kbn-config/src/config_service.mock.ts +++ b/packages/kbn-config-mocks/src/config_service.mock.ts @@ -7,15 +7,15 @@ */ import { BehaviorSubject } from 'rxjs'; -import { ObjectToConfigAdapter } from './object_to_config_adapter'; +import { ObjectToConfigAdapter, IConfigService } from '@kbn/config'; -import { IConfigService } from './config_service'; +export type IConfigServiceMock = jest.Mocked; const createConfigServiceMock = ({ atPath = {}, getConfig$ = {}, }: { atPath?: Record; getConfig$?: Record } = {}) => { - const mocked: jest.Mocked = { + const mocked: IConfigServiceMock = { atPath: jest.fn(), atPathSync: jest.fn(), getConfig$: jest.fn(), @@ -37,6 +37,7 @@ const createConfigServiceMock = ({ mocked.getUnusedPaths.mockResolvedValue([]); mocked.isEnabledAtPath.mockResolvedValue(true); mocked.getHandledDeprecatedConfigs.mockReturnValue([]); + return mocked; }; diff --git a/packages/kbn-config/src/deprecation/deprecations.mock.ts b/packages/kbn-config-mocks/src/deprecations.mock.ts similarity index 83% rename from packages/kbn-config/src/deprecation/deprecations.mock.ts rename to packages/kbn-config-mocks/src/deprecations.mock.ts index 06b467290b47e..45b26003f5271 100644 --- a/packages/kbn-config/src/deprecation/deprecations.mock.ts +++ b/packages/kbn-config-mocks/src/deprecations.mock.ts @@ -7,7 +7,9 @@ */ import type { DocLinks } from '@kbn/doc-links'; -import type { ConfigDeprecationContext } from './types'; +import type { ConfigDeprecationContext } from '@kbn/config'; + +export type ConfigDeprecationContextMock = ConfigDeprecationContext; const createMockedContext = (): ConfigDeprecationContext => { return { diff --git a/packages/kbn-config/src/__mocks__/env.ts b/packages/kbn-config-mocks/src/env.mock.ts similarity index 90% rename from packages/kbn-config/src/__mocks__/env.ts rename to packages/kbn-config-mocks/src/env.mock.ts index 124a798501a96..547fc6852c746 100644 --- a/packages/kbn-config/src/__mocks__/env.ts +++ b/packages/kbn-config-mocks/src/env.mock.ts @@ -6,9 +6,7 @@ * Side Public License, v 1. */ -// Test helpers to simplify mocking environment options. - -import { EnvOptions } from '../env'; +import type { EnvOptions } from '@kbn/config'; type DeepPartial = { [P in keyof T]?: T[P] extends Array ? Array> : DeepPartial; diff --git a/packages/kbn-config-mocks/src/index.ts b/packages/kbn-config-mocks/src/index.ts new file mode 100644 index 0000000000000..580a7293b50cb --- /dev/null +++ b/packages/kbn-config-mocks/src/index.ts @@ -0,0 +1,21 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +export { rawConfigServiceMock } from './raw_config_service.mock'; +export type { RawConfigServiceMock } from './raw_config_service.mock'; + +export { configMock } from './config.mock'; +export type { ConfigMock } from './config.mock'; + +export { configServiceMock } from './config_service.mock'; +export type { IConfigServiceMock } from './config_service.mock'; + +export { configDeprecationsMock } from './deprecations.mock'; +export type { ConfigDeprecationContextMock } from './deprecations.mock'; + +export { getEnvOptions } from './env.mock'; diff --git a/packages/kbn-config/src/raw/raw_config_service.mock.ts b/packages/kbn-config-mocks/src/raw_config_service.mock.ts similarity index 83% rename from packages/kbn-config/src/raw/raw_config_service.mock.ts rename to packages/kbn-config-mocks/src/raw_config_service.mock.ts index 1b5d5c3de4263..cb232bf5f0754 100644 --- a/packages/kbn-config/src/raw/raw_config_service.mock.ts +++ b/packages/kbn-config-mocks/src/raw_config_service.mock.ts @@ -6,15 +6,17 @@ * Side Public License, v 1. */ -import type { PublicMethodsOf } from '@kbn/utility-types'; -import { RawConfigService } from './raw_config_service'; import { Observable, of } from 'rxjs'; +import type { PublicMethodsOf } from '@kbn/utility-types'; +import type { RawConfigService } from '@kbn/config'; + +export type RawConfigServiceMock = jest.Mocked>; const createRawConfigServiceMock = ({ rawConfig = {}, rawConfig$ = undefined, }: { rawConfig?: Record; rawConfig$?: Observable> } = {}) => { - const mocked: jest.Mocked> = { + const mocked: RawConfigServiceMock = { loadConfig: jest.fn(), stop: jest.fn(), reloadConfig: jest.fn(), diff --git a/packages/kbn-config-mocks/tsconfig.json b/packages/kbn-config-mocks/tsconfig.json new file mode 100644 index 0000000000000..a8cfc2cceb08b --- /dev/null +++ b/packages/kbn-config-mocks/tsconfig.json @@ -0,0 +1,17 @@ +{ + "extends": "../../tsconfig.bazel.json", + "compilerOptions": { + "declaration": true, + "emitDeclarationOnly": true, + "outDir": "target_types", + "rootDir": "src", + "stripInternal": false, + "types": [ + "jest", + "node" + ] + }, + "include": [ + "src/**/*" + ] +} diff --git a/packages/kbn-config/src/config_service.test.ts b/packages/kbn-config/src/config_service.test.ts index b427af4e50229..8987cd8ec6c6d 100644 --- a/packages/kbn-config/src/config_service.test.ts +++ b/packages/kbn-config/src/config_service.test.ts @@ -15,7 +15,7 @@ import { docLinksMock, getDocLinksMock, } from './config_service.test.mocks'; -import { rawConfigServiceMock } from './raw/raw_config_service.mock'; +import { createRawConfigServiceMock } from './internal_mocks'; import { schema } from '@kbn/config-schema'; import { MockedLogger, loggerMock } from '@kbn/logging-mocks'; @@ -23,7 +23,7 @@ import { MockedLogger, loggerMock } from '@kbn/logging-mocks'; import type { ConfigDeprecationContext } from './deprecation'; import { ConfigService, Env, RawPackageInfo } from '.'; -import { getEnvOptions } from './__mocks__/env'; +import { getEnvOptions } from './internal_mocks'; const packageInfos: RawPackageInfo = { branch: 'master', @@ -39,7 +39,7 @@ const defaultEnv = new Env('/kibana', packageInfos, emptyArgv); let logger: MockedLogger; const getRawConfigProvider = (rawConfig: Record) => - rawConfigServiceMock.create({ rawConfig }); + createRawConfigServiceMock({ rawConfig }); beforeEach(() => { logger = loggerMock.create(); @@ -88,7 +88,7 @@ test('throws if config at path does not match schema', async () => { test('re-validate config when updated', async () => { const rawConfig$ = new BehaviorSubject>({ key: 'value' }); - const rawConfigProvider = rawConfigServiceMock.create({ rawConfig$ }); + const rawConfigProvider = createRawConfigServiceMock({ rawConfig$ }); const configService = new ConfigService(rawConfigProvider, defaultEnv, logger); configService.setSchema('key', schema.string()); @@ -115,7 +115,7 @@ test('re-validate config when updated', async () => { test("does not push new configs when reloading if config at path hasn't changed", async () => { const rawConfig$ = new BehaviorSubject>({ key: 'value' }); - const rawConfigProvider = rawConfigServiceMock.create({ rawConfig$ }); + const rawConfigProvider = createRawConfigServiceMock({ rawConfig$ }); const configService = new ConfigService(rawConfigProvider, defaultEnv, logger); await configService.setSchema('key', schema.string()); @@ -132,7 +132,7 @@ test("does not push new configs when reloading if config at path hasn't changed" test('pushes new config when reloading and config at path has changed', async () => { const rawConfig$ = new BehaviorSubject>({ key: 'value' }); - const rawConfigProvider = rawConfigServiceMock.create({ rawConfig$ }); + const rawConfigProvider = createRawConfigServiceMock({ rawConfig$ }); const configService = new ConfigService(rawConfigProvider, defaultEnv, logger); await configService.setSchema('key', schema.string()); @@ -148,7 +148,7 @@ test('pushes new config when reloading and config at path has changed', async () }); test("throws error if 'schema' is not defined for a key", async () => { - const rawConfigProvider = rawConfigServiceMock.create({ rawConfig: { key: 'value' } }); + const rawConfigProvider = createRawConfigServiceMock({ rawConfig: { key: 'value' } }); const configService = new ConfigService(rawConfigProvider, defaultEnv, logger); const configs = configService.atPath('key'); @@ -159,7 +159,7 @@ test("throws error if 'schema' is not defined for a key", async () => { }); test("throws error if 'setSchema' called several times for the same key", async () => { - const rawConfigProvider = rawConfigServiceMock.create({ rawConfig: { key: 'value' } }); + const rawConfigProvider = createRawConfigServiceMock({ rawConfig: { key: 'value' } }); const configService = new ConfigService(rawConfigProvider, defaultEnv, logger); const addSchema = async () => await configService.setSchema('key', schema.string()); await addSchema(); @@ -169,7 +169,7 @@ test("throws error if 'setSchema' called several times for the same key", async }); test('flags schema paths as handled when registering a schema', async () => { - const rawConfigProvider = rawConfigServiceMock.create({ + const rawConfigProvider = createRawConfigServiceMock({ rawConfig: { service: { string: 'str', @@ -209,7 +209,7 @@ test('tracks unhandled paths', async () => { }, }; - const rawConfigProvider = rawConfigServiceMock.create({ rawConfig: initialConfig }); + const rawConfigProvider = createRawConfigServiceMock({ rawConfig: initialConfig }); const configService = new ConfigService(rawConfigProvider, defaultEnv, logger); await configService.setSchema( 'service', @@ -242,7 +242,7 @@ test('correctly passes context', async () => { }; const env = new Env('/kibana', mockPackage, getEnvOptions()); - const rawConfigProvider = rawConfigServiceMock.create({ rawConfig: { foo: {} } }); + const rawConfigProvider = createRawConfigServiceMock({ rawConfig: { foo: {} } }); const schemaDefinition = schema.object({ branchRef: schema.string({ @@ -275,7 +275,7 @@ test('handles disabled path and marks config as used', async () => { }, }; - const rawConfigProvider = rawConfigServiceMock.create({ rawConfig: initialConfig }); + const rawConfigProvider = createRawConfigServiceMock({ rawConfig: initialConfig }); const configService = new ConfigService(rawConfigProvider, defaultEnv, logger); configService.setSchema( @@ -300,7 +300,7 @@ test('does not throw if schema does not define "enabled" schema', async () => { }, }; - const rawConfigProvider = rawConfigServiceMock.create({ rawConfig: initialConfig }); + const rawConfigProvider = createRawConfigServiceMock({ rawConfig: initialConfig }); const configService = new ConfigService(rawConfigProvider, defaultEnv, logger); expect( configService.setSchema( @@ -319,7 +319,7 @@ test('does not throw if schema does not define "enabled" schema', async () => { test('treats config as enabled if config path is not present in schema', async () => { const initialConfig = {}; - const rawConfigProvider = rawConfigServiceMock.create({ rawConfig: initialConfig }); + const rawConfigProvider = createRawConfigServiceMock({ rawConfig: initialConfig }); const configService = new ConfigService(rawConfigProvider, defaultEnv, logger); const isEnabled = await configService.isEnabledAtPath('pid'); @@ -336,7 +336,7 @@ test('throws if reading "enabled" when it is not present in the schema', async ( }, }; - const rawConfigProvider = rawConfigServiceMock.create({ rawConfig: initialConfig }); + const rawConfigProvider = createRawConfigServiceMock({ rawConfig: initialConfig }); const configService = new ConfigService(rawConfigProvider, defaultEnv, logger); configService.setSchema( @@ -360,7 +360,7 @@ test('throws if reading "enabled" when no schema exists', async () => { }, }; - const rawConfigProvider = rawConfigServiceMock.create({ rawConfig: initialConfig }); + const rawConfigProvider = createRawConfigServiceMock({ rawConfig: initialConfig }); const configService = new ConfigService(rawConfigProvider, defaultEnv, logger); await expect( @@ -375,7 +375,7 @@ test('throws if reading any config value when no schema exists', async () => { }, }; - const rawConfigProvider = rawConfigServiceMock.create({ rawConfig: initialConfig }); + const rawConfigProvider = createRawConfigServiceMock({ rawConfig: initialConfig }); const configService = new ConfigService(rawConfigProvider, defaultEnv, logger); await expect( @@ -386,7 +386,7 @@ test('throws if reading any config value when no schema exists', async () => { test('allows plugins to specify "enabled" flag via validation schema', async () => { const initialConfig = {}; - const rawConfigProvider = rawConfigServiceMock.create({ rawConfig: initialConfig }); + const rawConfigProvider = createRawConfigServiceMock({ rawConfig: initialConfig }); const configService = new ConfigService(rawConfigProvider, defaultEnv, logger); await configService.setSchema( @@ -591,7 +591,7 @@ describe('atPathSync', () => { test('returns the last config value', async () => { const rawConfig$ = new BehaviorSubject>({ key: 'value' }); - const rawConfigProvider = rawConfigServiceMock.create({ rawConfig$ }); + const rawConfigProvider = createRawConfigServiceMock({ rawConfig$ }); const configService = new ConfigService(rawConfigProvider, defaultEnv, logger); await configService.setSchema('key', schema.string()); @@ -657,7 +657,7 @@ describe('getHandledDeprecatedConfigs', () => { describe('getDeprecatedConfigPath$', () => { it('returns all config paths changes during deprecation', async () => { const rawConfig$ = new BehaviorSubject>({ key: 'value' }); - const rawConfigProvider = rawConfigServiceMock.create({ rawConfig$ }); + const rawConfigProvider = createRawConfigServiceMock({ rawConfig$ }); const configService = new ConfigService(rawConfigProvider, defaultEnv, logger); await configService.setSchema('key', schema.string()); diff --git a/packages/kbn-config/src/deprecation/deprecation_factory.test.ts b/packages/kbn-config/src/deprecation/deprecation_factory.test.ts index f104e42d1d2ce..4d155862de945 100644 --- a/packages/kbn-config/src/deprecation/deprecation_factory.test.ts +++ b/packages/kbn-config/src/deprecation/deprecation_factory.test.ts @@ -7,13 +7,13 @@ */ import { DeprecatedConfigDetails } from './types'; -import { configDeprecationsMock } from './deprecations.mock'; +import { createMockedContext } from '../internal_mocks'; import { configDeprecationFactory } from './deprecation_factory'; describe('DeprecationFactory', () => { const { deprecate, deprecateFromRoot, rename, renameFromRoot, unused, unusedFromRoot } = configDeprecationFactory; - const context = configDeprecationsMock.createContext(); + const context = createMockedContext(); const addDeprecation = jest.fn(); diff --git a/packages/kbn-config/src/env.test.ts b/packages/kbn-config/src/env.test.ts index b9e97514c2dff..7411a59e16801 100644 --- a/packages/kbn-config/src/env.test.ts +++ b/packages/kbn-config/src/env.test.ts @@ -9,7 +9,7 @@ import { mockPackage } from './env.test.mocks'; import { Env, RawPackageInfo } from './env'; -import { getEnvOptions } from './__mocks__/env'; +import { getEnvOptions } from './internal_mocks'; const REPO_ROOT = '/test/kibanaRoot'; diff --git a/packages/kbn-config/src/index.ts b/packages/kbn-config/src/index.ts index e4b60d939c074..933909ad0b7d2 100644 --- a/packages/kbn-config/src/index.ts +++ b/packages/kbn-config/src/index.ts @@ -27,6 +27,6 @@ export { ConfigService } from './config_service'; export type { Config, ConfigPath } from './config'; export { isConfigPath, hasConfigPathIntersection } from './config'; export { ObjectToConfigAdapter } from './object_to_config_adapter'; -export type { CliArgs, RawPackageInfo } from './env'; +export type { CliArgs, RawPackageInfo, EnvOptions } from './env'; export { Env } from './env'; export type { EnvironmentMode, PackageInfo } from './types'; diff --git a/packages/kbn-config/src/internal_mocks.ts b/packages/kbn-config/src/internal_mocks.ts new file mode 100644 index 0000000000000..d321170ec8b00 --- /dev/null +++ b/packages/kbn-config/src/internal_mocks.ts @@ -0,0 +1,58 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { Observable, of } from 'rxjs'; +import { DocLinks } from '@kbn/doc-links'; +import { PublicMethodsOf } from '@kbn/utility-types'; +import type { EnvOptions } from './env'; +import type { RawConfigService } from './raw'; +import type { ConfigDeprecationContext } from './deprecation'; + +type DeepPartial = { + [P in keyof T]?: T[P] extends Array ? Array> : DeepPartial; +}; + +export function getEnvOptions(options: DeepPartial = {}): EnvOptions { + return { + configs: options.configs || [], + cliArgs: { + dev: true, + silent: false, + watch: false, + basePath: false, + disableOptimizer: true, + cache: true, + dist: false, + oss: false, + runExamples: false, + ...(options.cliArgs || {}), + }, + }; +} + +export const createMockedContext = (): ConfigDeprecationContext => { + return { + branch: 'master', + version: '8.0.0', + docLinks: {} as DocLinks, + }; +}; + +export const createRawConfigServiceMock = ({ + rawConfig = {}, + rawConfig$ = undefined, +}: { rawConfig?: Record; rawConfig$?: Observable> } = {}) => { + const mocked: jest.Mocked> = { + loadConfig: jest.fn(), + stop: jest.fn(), + reloadConfig: jest.fn(), + getConfig$: jest.fn().mockReturnValue(rawConfig$ || of(rawConfig)), + }; + + return mocked; +}; diff --git a/packages/kbn-config/src/mocks.ts b/packages/kbn-config/src/mocks.ts deleted file mode 100644 index 40df96eb41f08..0000000000000 --- a/packages/kbn-config/src/mocks.ts +++ /dev/null @@ -1,18 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -// these CANT be exported by the main entrypoint, as it cause ts check failures -// in `src/test` and `src/xpack/test` projects due to definition conflicts between -// mocha and jest declaring the same globals such as `it` or `beforeAll`, as the test -// files imports types from `core` that is importing the main `@kbn/config` entrypoint. -// For now, these should be imported using `import {} from '@kbn/config/target/mocks'` -export { configMock } from './config.mock'; -export { configServiceMock } from './config_service.mock'; -export { rawConfigServiceMock } from './raw/raw_config_service.mock'; -export { configDeprecationsMock } from './deprecation/deprecations.mock'; -export { getEnvOptions } from './__mocks__/env'; diff --git a/packages/kbn-es-archiver/src/actions/save.ts b/packages/kbn-es-archiver/src/actions/save.ts index 16f0cbc3c1846..9fcbe45946eb7 100644 --- a/packages/kbn-es-archiver/src/actions/save.ts +++ b/packages/kbn-es-archiver/src/actions/save.ts @@ -52,7 +52,7 @@ export async function saveAction({ // export and save the matching indices to mappings.json createPromiseFromStreams([ createListStream(indices), - createGenerateIndexRecordsStream({ client, stats, keepIndexNames }), + createGenerateIndexRecordsStream({ client, stats, keepIndexNames, log }), ...createFormatArchiveStreams(), createWriteStream(resolve(outputDir, 'mappings.json')), ] as [Readable, ...Writable[]]), diff --git a/packages/kbn-es-archiver/src/actions/unload.ts b/packages/kbn-es-archiver/src/actions/unload.ts index 2d4b16d718689..e564bcbb1a703 100644 --- a/packages/kbn-es-archiver/src/actions/unload.ts +++ b/packages/kbn-es-archiver/src/actions/unload.ts @@ -45,7 +45,7 @@ export async function unloadAction({ await createPromiseFromStreams([ createReadStream(resolve(inputDir, filename)) as Readable, ...createParseArchiveStreams({ gzip: isGzip(filename) }), - createFilterRecordsStream('index'), + createFilterRecordsStream((record) => ['index', 'data_stream'].includes(record.type)), createDeleteIndexStream(client, stats, log), ] as [Readable, ...Writable[]]); } diff --git a/packages/kbn-es-archiver/src/lib/docs/generate_doc_records_stream.test.ts b/packages/kbn-es-archiver/src/lib/docs/generate_doc_records_stream.test.ts index e102ac50c3876..386d6d4a088ce 100644 --- a/packages/kbn-es-archiver/src/lib/docs/generate_doc_records_stream.test.ts +++ b/packages/kbn-es-archiver/src/lib/docs/generate_doc_records_stream.test.ts @@ -36,16 +36,29 @@ interface SearchResponses { }>; } -function createMockClient(responses: SearchResponses) { +function createMockClient(responses: SearchResponses, hasDataStreams = false) { // TODO: replace with proper mocked client const client: any = { helpers: { scrollSearch: jest.fn(function* ({ index }) { + if (hasDataStreams) { + index = `.ds-${index}`; + } + while (responses[index] && responses[index].length) { yield responses[index].shift()!; } }), }, + indices: { + get: jest.fn(async ({ index }) => { + return { [index]: { data_stream: hasDataStreams && index.substring(4) } }; + }), + getDataStream: jest.fn(async ({ name }) => { + if (!hasDataStreams) return { data_streams: [] }; + return { data_streams: [{ name }] }; + }), + }, }; return client; } @@ -217,6 +230,35 @@ describe('esArchiver: createGenerateDocRecordsStream()', () => { `); }); + it('supports data streams', async () => { + const hits = [ + { _index: '.ds-foo-datastream', _id: '0', _source: {} }, + { _index: '.ds-foo-datastream', _id: '1', _source: {} }, + ]; + const responses = { + '.ds-foo-datastream': [{ body: { hits: { hits, total: hits.length } } }], + }; + const client = createMockClient(responses, true); + + const stats = createStats('test', log); + const progress = new Progress(); + + const results = await createPromiseFromStreams([ + createListStream(['foo-datastream']), + createGenerateDocRecordsStream({ + client, + stats, + progress, + }), + createMapStream((record: any) => { + return `${record.value.data_stream}:${record.value.id}`; + }), + createConcatStream([]), + ]); + + expect(results).toEqual(['foo-datastream:0', 'foo-datastream:1']); + }); + describe('keepIndexNames', () => { it('changes .kibana* index names if keepIndexNames is not enabled', async () => { const hits = [{ _index: '.kibana_7.16.0_001', _id: '0', _source: {} }]; diff --git a/packages/kbn-es-archiver/src/lib/docs/generate_doc_records_stream.ts b/packages/kbn-es-archiver/src/lib/docs/generate_doc_records_stream.ts index 40907bd0af238..6e3310a7347e7 100644 --- a/packages/kbn-es-archiver/src/lib/docs/generate_doc_records_stream.ts +++ b/packages/kbn-es-archiver/src/lib/docs/generate_doc_records_stream.ts @@ -47,6 +47,10 @@ export function createGenerateDocRecordsStream({ } ); + const hasDatastreams = + (await client.indices.getDataStream({ name: index })).data_streams.length > 0; + const indexToDatastream = new Map(); + let remainingHits: number | null = null; for await (const resp of interator) { @@ -57,7 +61,17 @@ export function createGenerateDocRecordsStream({ for (const hit of resp.body.hits.hits) { remainingHits -= 1; - stats.archivedDoc(hit._index); + + if (hasDatastreams && !indexToDatastream.has(hit._index)) { + const { + [hit._index]: { data_stream: dataStream }, + } = await client.indices.get({ index: hit._index, filter_path: ['*.data_stream'] }); + indexToDatastream.set(hit._index, dataStream); + } + + const dataStream = indexToDatastream.get(hit._index); + stats.archivedDoc(dataStream || hit._index); + this.push({ type: 'doc', value: { @@ -65,6 +79,7 @@ export function createGenerateDocRecordsStream({ // when it is loaded it can skip migration, if possible index: hit._index.startsWith('.kibana') && !keepIndexNames ? '.kibana_1' : hit._index, + data_stream: dataStream, id: hit._id, source: hit._source, }, diff --git a/packages/kbn-es-archiver/src/lib/docs/index_doc_records_stream.test.ts b/packages/kbn-es-archiver/src/lib/docs/index_doc_records_stream.test.ts index 5dc9b4b7bd8dd..c1bb94ee13498 100644 --- a/packages/kbn-es-archiver/src/lib/docs/index_doc_records_stream.test.ts +++ b/packages/kbn-es-archiver/src/lib/docs/index_doc_records_stream.test.ts @@ -243,6 +243,55 @@ describe('bulk helper onDocument param', () => { createIndexDocRecordsStream(client as any, stats, progress, true), ]); }); + + it('returns create ops for data stream documents', async () => { + const records = [ + { + type: 'doc', + value: { + index: '.ds-foo-ds', + data_stream: 'foo-ds', + id: '0', + source: { + hello: 'world', + }, + }, + }, + { + type: 'doc', + value: { + index: '.ds-foo-ds', + data_stream: 'foo-ds', + id: '1', + source: { + hello: 'world', + }, + }, + }, + ]; + expect.assertions(records.length); + + const client = new MockClient(); + client.helpers.bulk.mockImplementation(async ({ datasource, onDocument }) => { + for (const d of datasource) { + const op = onDocument(d); + expect(op).toEqual({ + create: { + _index: 'foo-ds', + _id: expect.stringMatching(/^\d$/), + }, + }); + } + }); + + const stats = createStats('test', log); + const progress = new Progress(); + + await createPromiseFromStreams([ + createListStream(records), + createIndexDocRecordsStream(client as any, stats, progress), + ]); + }); }); describe('bulk helper onDrop param', () => { diff --git a/packages/kbn-es-archiver/src/lib/docs/index_doc_records_stream.ts b/packages/kbn-es-archiver/src/lib/docs/index_doc_records_stream.ts index 749bfd0872353..40e1c1932aeee 100644 --- a/packages/kbn-es-archiver/src/lib/docs/index_doc_records_stream.ts +++ b/packages/kbn-es-archiver/src/lib/docs/index_doc_records_stream.ts @@ -13,6 +13,11 @@ import { Stats } from '../stats'; import { Progress } from '../progress'; import { ES_CLIENT_HEADERS } from '../../client_headers'; +enum BulkOperation { + Create = 'create', + Index = 'index', +} + export function createIndexDocRecordsStream( client: Client, stats: Stats, @@ -20,7 +25,7 @@ export function createIndexDocRecordsStream( useCreate: boolean = false ) { async function indexDocs(docs: any[]) { - const operation = useCreate === true ? 'create' : 'index'; + const operation = useCreate === true ? BulkOperation.Create : BulkOperation.Index; const ops = new WeakMap(); const errors: string[] = []; @@ -29,9 +34,11 @@ export function createIndexDocRecordsStream( retries: 5, datasource: docs.map((doc) => { const body = doc.source; + const op = doc.data_stream ? BulkOperation.Create : operation; + const index = doc.data_stream || doc.index; ops.set(body, { - [operation]: { - _index: doc.index, + [op]: { + _index: index, _id: doc.id, }, }); @@ -56,7 +63,7 @@ export function createIndexDocRecordsStream( } for (const doc of docs) { - stats.indexedDoc(doc.index); + stats.indexedDoc(doc.data_stream || doc.index); } } diff --git a/packages/kbn-es-archiver/src/lib/index.ts b/packages/kbn-es-archiver/src/lib/index.ts index ee37591e1f2c3..8a857fb24002a 100644 --- a/packages/kbn-es-archiver/src/lib/index.ts +++ b/packages/kbn-es-archiver/src/lib/index.ts @@ -33,3 +33,5 @@ export { export { readDirectory } from './directory'; export { Progress } from './progress'; + +export { getIndexTemplate } from './index_template'; diff --git a/packages/kbn-es-archiver/src/lib/index_template.test.ts b/packages/kbn-es-archiver/src/lib/index_template.test.ts new file mode 100644 index 0000000000000..b8f5330663ee1 --- /dev/null +++ b/packages/kbn-es-archiver/src/lib/index_template.test.ts @@ -0,0 +1,105 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ +import type { Client } from '@elastic/elasticsearch'; + +import sinon from 'sinon'; +import { getIndexTemplate } from './index_template'; + +describe('esArchiver: index template', () => { + describe('getIndexTemplate', () => { + it('returns the index template', async () => { + const client = { + indices: { + getIndexTemplate: sinon.stub().resolves({ + index_templates: [ + { + index_template: { + index_patterns: ['pattern-*'], + template: { + mappings: { properties: { foo: { type: 'keyword' } } }, + }, + priority: 500, + composed_of: [], + data_stream: { hidden: false }, + }, + }, + ], + }), + }, + } as unknown as Client; + + const template = await getIndexTemplate(client, 'template-foo'); + + expect(template).toEqual({ + name: 'template-foo', + index_patterns: ['pattern-*'], + template: { + mappings: { properties: { foo: { type: 'keyword' } } }, + }, + priority: 500, + data_stream: { hidden: false }, + }); + }); + + it('resolves component templates', async () => { + const client = { + indices: { + getIndexTemplate: sinon.stub().resolves({ + index_templates: [ + { + index_template: { + index_patterns: ['pattern-*'], + composed_of: ['the-settings', 'the-mappings'], + }, + }, + ], + }), + }, + cluster: { + getComponentTemplate: sinon + .stub() + .onFirstCall() + .resolves({ + component_templates: [ + { + component_template: { + template: { + aliases: { 'foo-alias': {} }, + }, + }, + }, + ], + }) + .onSecondCall() + .resolves({ + component_templates: [ + { + component_template: { + template: { + mappings: { properties: { foo: { type: 'keyword' } } }, + }, + }, + }, + ], + }), + }, + } as unknown as Client; + + const template = await getIndexTemplate(client, 'template-foo'); + + expect(template).toEqual({ + name: 'template-foo', + index_patterns: ['pattern-*'], + template: { + aliases: { 'foo-alias': {} }, + mappings: { properties: { foo: { type: 'keyword' } } }, + }, + }); + }); + }); +}); diff --git a/packages/kbn-es-archiver/src/lib/index_template.ts b/packages/kbn-es-archiver/src/lib/index_template.ts new file mode 100644 index 0000000000000..9d67add9757db --- /dev/null +++ b/packages/kbn-es-archiver/src/lib/index_template.ts @@ -0,0 +1,37 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { merge } from 'lodash'; +import type { Client } from '@elastic/elasticsearch'; + +import { ES_CLIENT_HEADERS } from '../client_headers'; + +export const getIndexTemplate = async (client: Client, templateName: string) => { + const { index_templates: indexTemplates } = await client.indices.getIndexTemplate( + { name: templateName }, + { headers: ES_CLIENT_HEADERS } + ); + const { + index_template: { template, composed_of: composedOf = [], ...indexTemplate }, + } = indexTemplates[0]; + + const components = await Promise.all( + composedOf.map(async (component) => { + const { component_templates: componentTemplates } = await client.cluster.getComponentTemplate( + { name: component } + ); + return componentTemplates[0].component_template.template; + }) + ); + + return { + ...indexTemplate, + name: templateName, + template: merge(template, ...components), + }; +}; diff --git a/packages/kbn-es-archiver/src/lib/indices/__mocks__/stubs.ts b/packages/kbn-es-archiver/src/lib/indices/__mocks__/stubs.ts index c60c920100174..1bfbc80f52a19 100644 --- a/packages/kbn-es-archiver/src/lib/indices/__mocks__/stubs.ts +++ b/packages/kbn-es-archiver/src/lib/indices/__mocks__/stubs.ts @@ -19,7 +19,9 @@ export const createStubStats = (): StubStats => ({ createdIndex: sinon.stub(), createdAliases: sinon.stub(), + createdDataStream: sinon.stub(), deletedIndex: sinon.stub(), + deletedDataStream: sinon.stub(), skippedIndex: sinon.stub(), archivedIndex: sinon.stub(), getTestSummary() { @@ -47,6 +49,11 @@ export const createStubIndexRecord = (index: string, aliases = {}) => ({ value: { index, aliases }, }); +export const createStubDataStreamRecord = (dataStream: string, template: string) => ({ + type: 'data_stream', + value: { data_stream: dataStream, template: { name: template } }, +}); + export const createStubDocRecord = (index: string, id: number) => ({ type: 'doc', value: { index, id }, @@ -140,5 +147,10 @@ export const createStubClient = ( exists: sinon.spy(async () => { throw new Error('Do not use indices.exists(). React to errors instead.'); }), + + createDataStream: sinon.spy(async ({ name }) => {}), + deleteDataStream: sinon.spy(async ({ name }) => {}), + putIndexTemplate: sinon.spy(async ({ name }) => {}), + deleteIndexTemplate: sinon.spy(async ({ name }) => {}), }, } as any); diff --git a/packages/kbn-es-archiver/src/lib/indices/create_index_stream.test.ts b/packages/kbn-es-archiver/src/lib/indices/create_index_stream.test.ts index 615555b405e44..15efa53921743 100644 --- a/packages/kbn-es-archiver/src/lib/indices/create_index_stream.test.ts +++ b/packages/kbn-es-archiver/src/lib/indices/create_index_stream.test.ts @@ -17,6 +17,7 @@ import { createCreateIndexStream } from './create_index_stream'; import { createStubStats, createStubIndexRecord, + createStubDataStreamRecord, createStubDocRecord, createStubClient, createStubLogger, @@ -171,6 +172,19 @@ describe('esArchiver: createCreateIndexStream()', () => { expect(output).toEqual(nonRecordValues); }); + + it('creates data streams', async () => { + const client = createStubClient(); + const stats = createStubStats(); + + await createPromiseFromStreams([ + createListStream([createStubDataStreamRecord('foo-datastream', 'foo-template')]), + createCreateIndexStream({ client, stats, log }), + ]); + + sinon.assert.calledOnce(client.indices.putIndexTemplate as sinon.SinonSpy); + sinon.assert.calledOnce(client.indices.createDataStream as sinon.SinonSpy); + }); }); describe('deleteKibanaIndices', () => { diff --git a/packages/kbn-es-archiver/src/lib/indices/create_index_stream.ts b/packages/kbn-es-archiver/src/lib/indices/create_index_stream.ts index 2ab53a2ca012c..38f4bed755262 100644 --- a/packages/kbn-es-archiver/src/lib/indices/create_index_stream.ts +++ b/packages/kbn-es-archiver/src/lib/indices/create_index_stream.ts @@ -13,15 +13,18 @@ import * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import type { Client } from '@elastic/elasticsearch'; import { ToolingLog } from '@kbn/tooling-log'; +import { IndicesPutIndexTemplateRequest } from '@elastic/elasticsearch/lib/api/types'; import { Stats } from '../stats'; import { deleteKibanaIndices } from './kibana_index'; import { deleteIndex } from './delete_index'; +import { deleteDataStream } from './delete_data_stream'; import { ES_CLIENT_HEADERS } from '../../client_headers'; interface DocRecord { value: estypes.IndicesIndexState & { index: string; type: string; + template?: IndicesPutIndexTemplateRequest; }; } @@ -54,6 +57,43 @@ export function createCreateIndexStream({ stream.push(record); } + async function handleDataStream(record: DocRecord, attempts = 1) { + if (docsOnly) return; + + const { data_stream: dataStream, template } = record.value as { + data_stream: string; + template: IndicesPutIndexTemplateRequest; + }; + + try { + await client.indices.putIndexTemplate(template, { + headers: ES_CLIENT_HEADERS, + }); + + await client.indices.createDataStream( + { name: dataStream }, + { + headers: ES_CLIENT_HEADERS, + } + ); + stats.createdDataStream(dataStream, template.name, { template }); + } catch (err) { + if (err?.meta?.body?.error?.type !== 'resource_already_exists_exception' || attempts >= 3) { + throw err; + } + + if (skipExisting) { + skipDocsFromIndices.add(dataStream); + stats.skippedIndex(dataStream); + return; + } + + await deleteDataStream(client, dataStream, template.name); + stats.deletedDataStream(dataStream, template.name); + await handleDataStream(record, attempts + 1); + } + } + async function handleIndex(record: DocRecord) { const { index, settings, mappings, aliases } = record.value; const isKibanaTaskManager = index.startsWith('.kibana_task_manager'); @@ -134,6 +174,10 @@ export function createCreateIndexStream({ await handleIndex(record); break; + case 'data_stream': + await handleDataStream(record); + break; + case 'doc': await handleDoc(this, record); break; diff --git a/packages/kbn-es-archiver/src/lib/indices/delete_data_stream.ts b/packages/kbn-es-archiver/src/lib/indices/delete_data_stream.ts new file mode 100644 index 0000000000000..6aa68db4216f4 --- /dev/null +++ b/packages/kbn-es-archiver/src/lib/indices/delete_data_stream.ts @@ -0,0 +1,14 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import type { Client } from '@elastic/elasticsearch'; + +export async function deleteDataStream(client: Client, datastream: string, template: string) { + await client.indices.deleteDataStream({ name: datastream }); + await client.indices.deleteIndexTemplate({ name: template }); +} diff --git a/packages/kbn-es-archiver/src/lib/indices/delete_index_stream.test.ts b/packages/kbn-es-archiver/src/lib/indices/delete_index_stream.test.ts index 241d4a8944546..4917deab542d4 100644 --- a/packages/kbn-es-archiver/src/lib/indices/delete_index_stream.test.ts +++ b/packages/kbn-es-archiver/src/lib/indices/delete_index_stream.test.ts @@ -16,6 +16,7 @@ import { createStubStats, createStubClient, createStubIndexRecord, + createStubDataStreamRecord, createStubLogger, } from './__mocks__/stubs'; @@ -51,4 +52,25 @@ describe('esArchiver: createDeleteIndexStream()', () => { sinon.assert.calledOnce(client.indices.delete as sinon.SinonSpy); sinon.assert.notCalled(client.indices.exists as sinon.SinonSpy); }); + + it('deletes data streams', async () => { + const stats = createStubStats(); + const client = createStubClient([]); + + await createPromiseFromStreams([ + createListStream([createStubDataStreamRecord('foo-datastream', 'foo-template')]), + createDeleteIndexStream(client, stats, log), + ]); + + sinon.assert.calledOnce(stats.deletedDataStream as sinon.SinonSpy); + sinon.assert.notCalled(client.indices.create as sinon.SinonSpy); + sinon.assert.calledOnce(client.indices.deleteDataStream as sinon.SinonSpy); + sinon.assert.calledWith(client.indices.deleteDataStream as sinon.SinonSpy, { + name: 'foo-datastream', + }); + sinon.assert.calledOnce(client.indices.deleteIndexTemplate as sinon.SinonSpy); + sinon.assert.calledWith(client.indices.deleteIndexTemplate as sinon.SinonSpy, { + name: 'foo-template', + }); + }); }); diff --git a/packages/kbn-es-archiver/src/lib/indices/delete_index_stream.ts b/packages/kbn-es-archiver/src/lib/indices/delete_index_stream.ts index 450d575181529..c7633465ccc4c 100644 --- a/packages/kbn-es-archiver/src/lib/indices/delete_index_stream.ts +++ b/packages/kbn-es-archiver/src/lib/indices/delete_index_stream.ts @@ -13,6 +13,7 @@ import { ToolingLog } from '@kbn/tooling-log'; import { Stats } from '../stats'; import { deleteIndex } from './delete_index'; import { cleanKibanaIndices } from './kibana_index'; +import { deleteDataStream } from './delete_data_stream'; export function createDeleteIndexStream(client: Client, stats: Stats, log: ToolingLog) { return new Transform({ @@ -20,7 +21,11 @@ export function createDeleteIndexStream(client: Client, stats: Stats, log: Tooli writableObjectMode: true, async transform(record, enc, callback) { try { - if (!record || record.type === 'index') { + if (!record) { + log.warning(`deleteIndexStream: empty index provided`); + return callback(); + } + if (record.type === 'index') { const { index } = record.value; if (index.startsWith('.kibana')) { @@ -28,6 +33,14 @@ export function createDeleteIndexStream(client: Client, stats: Stats, log: Tooli } else { await deleteIndex({ client, stats, log, index }); } + } else if (record.type === 'data_stream') { + const { + data_stream: dataStream, + template: { name }, + } = record.value; + + await deleteDataStream(client, dataStream, name); + stats.deletedDataStream(dataStream, name); } else { this.push(record); } diff --git a/packages/kbn-es-archiver/src/lib/indices/generate_index_records_stream.test.ts b/packages/kbn-es-archiver/src/lib/indices/generate_index_records_stream.test.ts index fbd351cea63a9..566760b0ddf88 100644 --- a/packages/kbn-es-archiver/src/lib/indices/generate_index_records_stream.test.ts +++ b/packages/kbn-es-archiver/src/lib/indices/generate_index_records_stream.test.ts @@ -9,10 +9,12 @@ import sinon from 'sinon'; import { createListStream, createPromiseFromStreams, createConcatStream } from '@kbn/utils'; -import { createStubClient, createStubStats } from './__mocks__/stubs'; +import { createStubClient, createStubLogger, createStubStats } from './__mocks__/stubs'; import { createGenerateIndexRecordsStream } from './generate_index_records_stream'; +const log = createStubLogger(); + describe('esArchiver: createGenerateIndexRecordsStream()', () => { it('consumes index names and queries for the mapping of each', async () => { const indices = ['index1', 'index2', 'index3', 'index4']; @@ -21,7 +23,7 @@ describe('esArchiver: createGenerateIndexRecordsStream()', () => { await createPromiseFromStreams([ createListStream(indices), - createGenerateIndexRecordsStream({ client, stats }), + createGenerateIndexRecordsStream({ client, stats, log }), ]); expect(stats.getTestSummary()).toEqual({ @@ -40,7 +42,7 @@ describe('esArchiver: createGenerateIndexRecordsStream()', () => { await createPromiseFromStreams([ createListStream(['index1']), - createGenerateIndexRecordsStream({ client, stats }), + createGenerateIndexRecordsStream({ client, stats, log }), ]); const params = (client.indices.get as sinon.SinonSpy).args[0][0]; @@ -58,7 +60,7 @@ describe('esArchiver: createGenerateIndexRecordsStream()', () => { const indexRecords = await createPromiseFromStreams([ createListStream(['index1', 'index2', 'index3']), - createGenerateIndexRecordsStream({ client, stats }), + createGenerateIndexRecordsStream({ client, stats, log }), createConcatStream([]), ]); @@ -83,7 +85,7 @@ describe('esArchiver: createGenerateIndexRecordsStream()', () => { const indexRecords = await createPromiseFromStreams([ createListStream(['index1']), - createGenerateIndexRecordsStream({ client, stats }), + createGenerateIndexRecordsStream({ client, stats, log }), createConcatStream([]), ]); @@ -107,7 +109,7 @@ describe('esArchiver: createGenerateIndexRecordsStream()', () => { const indexRecords = await createPromiseFromStreams([ createListStream(['.kibana_7.16.0_001']), - createGenerateIndexRecordsStream({ client, stats }), + createGenerateIndexRecordsStream({ client, stats, log }), createConcatStream([]), ]); @@ -122,7 +124,7 @@ describe('esArchiver: createGenerateIndexRecordsStream()', () => { const indexRecords = await createPromiseFromStreams([ createListStream(['.foo']), - createGenerateIndexRecordsStream({ client, stats }), + createGenerateIndexRecordsStream({ client, stats, log }), createConcatStream([]), ]); @@ -137,7 +139,7 @@ describe('esArchiver: createGenerateIndexRecordsStream()', () => { const indexRecords = await createPromiseFromStreams([ createListStream(['.kibana_7.16.0_001']), - createGenerateIndexRecordsStream({ client, stats, keepIndexNames: true }), + createGenerateIndexRecordsStream({ client, stats, log, keepIndexNames: true }), createConcatStream([]), ]); diff --git a/packages/kbn-es-archiver/src/lib/indices/generate_index_records_stream.ts b/packages/kbn-es-archiver/src/lib/indices/generate_index_records_stream.ts index e3efaa2851609..de32e93e27398 100644 --- a/packages/kbn-es-archiver/src/lib/indices/generate_index_records_stream.ts +++ b/packages/kbn-es-archiver/src/lib/indices/generate_index_records_stream.ts @@ -8,18 +8,28 @@ import type { Client } from '@elastic/elasticsearch'; import { Transform } from 'stream'; +import { ToolingLog } from '@kbn/tooling-log'; import { Stats } from '../stats'; import { ES_CLIENT_HEADERS } from '../../client_headers'; +import { getIndexTemplate } from '..'; + +const headers = { + headers: ES_CLIENT_HEADERS, +}; export function createGenerateIndexRecordsStream({ client, stats, keepIndexNames, + log, }: { client: Client; stats: Stats; keepIndexNames?: boolean; + log: ToolingLog; }) { + const seenDatastreams = new Set(); + return new Transform({ writableObjectMode: true, readableObjectMode: true, @@ -32,6 +42,7 @@ export function createGenerateIndexRecordsStream({ filter_path: [ '*.settings', '*.mappings', + '*.data_stream', // remove settings that aren't really settings '-*.settings.index.creation_date', '-*.settings.index.uuid', @@ -44,37 +55,58 @@ export function createGenerateIndexRecordsStream({ ], }, { - headers: ES_CLIENT_HEADERS, + ...headers, meta: true, } ) ).body; - for (const [index, { settings, mappings }] of Object.entries(resp)) { - const { - body: { - [index]: { aliases }, - }, - } = await client.indices.getAlias( - { index }, - { - headers: ES_CLIENT_HEADERS, - meta: true, + for (const [index, { data_stream: dataStream, settings, mappings }] of Object.entries( + resp + )) { + if (dataStream) { + log.info(`${index} will be saved as data_stream ${dataStream}`); + + if (seenDatastreams.has(dataStream)) { + log.info(`${dataStream} is already archived`); + continue; } - ); - stats.archivedIndex(index, { settings, mappings }); - this.push({ - type: 'index', - value: { - // if keepIndexNames is false, rewrite the .kibana_* index to .kibana_1 so that - // when it is loaded it can skip migration, if possible - index: index.startsWith('.kibana') && !keepIndexNames ? '.kibana_1' : index, - settings, - mappings, - aliases, - }, - }); + const { data_streams: dataStreams } = await client.indices.getDataStream( + { name: dataStream }, + headers + ); + const template = await getIndexTemplate(client, dataStreams[0].template); + + seenDatastreams.add(dataStream); + stats.archivedIndex(dataStream, { template }); + this.push({ + type: 'data_stream', + value: { + data_stream: dataStream, + template, + }, + }); + } else { + const { + body: { + [index]: { aliases }, + }, + } = await client.indices.getAlias({ index }, { ...headers, meta: true }); + + stats.archivedIndex(index, { settings, mappings }); + this.push({ + type: 'index', + value: { + // if keepIndexNames is false, rewrite the .kibana_* index to .kibana_1 so that + // when it is loaded it can skip migration, if possible + index: index.startsWith('.kibana') && !keepIndexNames ? '.kibana_1' : index, + settings, + mappings, + aliases, + }, + }); + } } callback(); diff --git a/packages/kbn-es-archiver/src/lib/records/filter_records_stream.test.ts b/packages/kbn-es-archiver/src/lib/records/filter_records_stream.test.ts index 506507ba0b9e6..901664988d165 100644 --- a/packages/kbn-es-archiver/src/lib/records/filter_records_stream.test.ts +++ b/packages/kbn-es-archiver/src/lib/records/filter_records_stream.test.ts @@ -26,7 +26,7 @@ describe('esArchiver: createFilterRecordsStream()', () => { }, chance.bool(), ]), - createFilterRecordsStream('type'), + createFilterRecordsStream((record) => record.type === 'type'), createConcatStream([]), ]); @@ -45,7 +45,7 @@ describe('esArchiver: createFilterRecordsStream()', () => { { type: chance.word({ length: 10 }), value: {} }, { type: chance.word({ length: 10 }), value: {} }, ]), - createFilterRecordsStream(type1), + createFilterRecordsStream((record) => record.type === type1), createConcatStream([]), ]); diff --git a/packages/kbn-es-archiver/src/lib/records/filter_records_stream.ts b/packages/kbn-es-archiver/src/lib/records/filter_records_stream.ts index 69ab06454f93b..9ded38a6f2b58 100644 --- a/packages/kbn-es-archiver/src/lib/records/filter_records_stream.ts +++ b/packages/kbn-es-archiver/src/lib/records/filter_records_stream.ts @@ -8,13 +8,13 @@ import { Transform } from 'stream'; -export function createFilterRecordsStream(type: string) { +export function createFilterRecordsStream(fn: (record: any) => boolean) { return new Transform({ writableObjectMode: true, readableObjectMode: true, transform(record, enc, callback) { - if (record && record.type === type) { + if (record && fn(record)) { callback(undefined, record); } else { callback(); diff --git a/packages/kbn-es-archiver/src/lib/stats.ts b/packages/kbn-es-archiver/src/lib/stats.ts index 9ff16d57b8661..1b533a18acade 100644 --- a/packages/kbn-es-archiver/src/lib/stats.ts +++ b/packages/kbn-es-archiver/src/lib/stats.ts @@ -83,6 +83,15 @@ export function createStats(name: string, log: ToolingLog) { info('Deleted existing index %j', index); } + /** + * Record that a data stream was deleted + * @param index + */ + public deletedDataStream(stream: string, template: string) { + getOrCreate(stream).deleted = true; + info('Deleted existing data stream %j with index template %j', stream, template); + } + /** * Record that an index was created * @param index @@ -95,6 +104,18 @@ export function createStats(name: string, log: ToolingLog) { }); } + /** + * Record that a data stream was created + * @param index + */ + public createdDataStream(stream: string, template: string, metadata: Record = {}) { + getOrCreate(stream).created = true; + info('Created data stream %j with index template %j', stream, template); + Object.keys(metadata).forEach((key) => { + debug('%j %s %j', stream, key, metadata[key]); + }); + } + /** * Record that an index was written to the archives * @param index diff --git a/packages/kbn-es-query/src/filters/helpers/convert_range_filter.test.ts b/packages/kbn-es-query/src/filters/helpers/convert_range_filter.test.ts new file mode 100644 index 0000000000000..685edfd106bf3 --- /dev/null +++ b/packages/kbn-es-query/src/filters/helpers/convert_range_filter.test.ts @@ -0,0 +1,26 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import moment from 'moment'; +import { convertRangeFilterToTimeRange } from './convert_range_filter'; + +describe('convertRangeFilterToTimeRange', () => { + const gt = 1388559600000; + const lt = 1388646000000; + + it('should return converted range', () => { + const filter: any = { query: { range: { '@timestamp': { gte: gt, lte: lt } } } }; + const filterAfterConvertedRangeFilter = { + from: moment(gt), + to: moment(lt), + }; + const convertedRangeFilter = convertRangeFilterToTimeRange(filter); + + expect(convertedRangeFilter).toEqual(filterAfterConvertedRangeFilter); + }); +}); diff --git a/src/plugins/data/public/query/timefilter/lib/change_time_filter.ts b/packages/kbn-es-query/src/filters/helpers/convert_range_filter.ts similarity index 75% rename from src/plugins/data/public/query/timefilter/lib/change_time_filter.ts rename to packages/kbn-es-query/src/filters/helpers/convert_range_filter.ts index 9b53f04bd2066..34f9fb949e913 100644 --- a/src/plugins/data/public/query/timefilter/lib/change_time_filter.ts +++ b/packages/kbn-es-query/src/filters/helpers/convert_range_filter.ts @@ -8,9 +8,8 @@ import moment from 'moment'; import { keys } from 'lodash'; -import { RangeFilter } from '@kbn/es-query'; -import { TimefilterContract } from '..'; -import { TimeRange } from '../../../../common'; +import type { RangeFilter } from '../build_filters'; +import type { TimeRange } from './types'; export function convertRangeFilterToTimeRange(filter: RangeFilter) { const key = keys(filter.query.range)[0]; @@ -29,7 +28,3 @@ export function convertRangeFilterToTimeRangeString(filter: RangeFilter): TimeRa to: to?.toISOString(), }; } - -export function changeTimeFilter(timeFilter: TimefilterContract, filter: RangeFilter) { - timeFilter.setTime(convertRangeFilterToTimeRange(filter)); -} diff --git a/src/plugins/data/public/query/timefilter/lib/extract_time_filter.test.ts b/packages/kbn-es-query/src/filters/helpers/extract_time_filter.test.ts similarity index 82% rename from src/plugins/data/public/query/timefilter/lib/extract_time_filter.test.ts rename to packages/kbn-es-query/src/filters/helpers/extract_time_filter.test.ts index 8f25792efbbdb..a5065e14bd159 100644 --- a/src/plugins/data/public/query/timefilter/lib/extract_time_filter.test.ts +++ b/packages/kbn-es-query/src/filters/helpers/extract_time_filter.test.ts @@ -7,22 +7,16 @@ */ import { extractTimeFilter } from './extract_time_filter'; -import { - Filter, - IIndexPattern, - IFieldType, - buildQueryFilter, - buildRangeFilter, - buildPhraseFilter, -} from '../../../../common'; +import { Filter, buildQueryFilter, buildRangeFilter, buildPhraseFilter } from '../build_filters'; +import { DataViewBase, DataViewFieldBase } from '../../es_query'; describe('filter manager utilities', () => { - let indexPattern: IIndexPattern; + let indexPattern: DataViewBase; beforeEach(() => { indexPattern = { id: 'logstash-*', - } as IIndexPattern; + } as DataViewBase; }); describe('extractTimeFilter()', () => { @@ -30,7 +24,7 @@ describe('filter manager utilities', () => { const filters: Filter[] = [ buildQueryFilter({ query_string: { query: 'apache' } }, 'logstash-*', ''), buildRangeFilter( - { name: 'time' } as IFieldType, + { name: 'time' } as DataViewFieldBase, { gt: 1388559600000, lt: 1388646000000 }, indexPattern ), @@ -45,7 +39,7 @@ describe('filter manager utilities', () => { const filters: Filter[] = [ buildQueryFilter({ query_string: { query: 'apache' } }, 'logstash-*', ''), buildRangeFilter( - { name: '@timestamp' } as IFieldType, + { name: '@timestamp' } as DataViewFieldBase, { from: 1, to: 2 }, indexPattern, '' @@ -60,7 +54,7 @@ describe('filter manager utilities', () => { test('should not return a non range filter, even when names match', async () => { const filters: Filter[] = [ buildQueryFilter({ query_string: { query: 'apache' } }, 'logstash-*', ''), - buildPhraseFilter({ name: 'time' } as IFieldType, 'banana', indexPattern), + buildPhraseFilter({ name: 'time' } as DataViewFieldBase, 'banana', indexPattern), ]; const result = await extractTimeFilter('time', filters); diff --git a/src/plugins/data/public/query/timefilter/lib/extract_time_filter.ts b/packages/kbn-es-query/src/filters/helpers/extract_time_filter.ts similarity index 86% rename from src/plugins/data/public/query/timefilter/lib/extract_time_filter.ts rename to packages/kbn-es-query/src/filters/helpers/extract_time_filter.ts index 77c6aeb144cf8..337158980c51a 100644 --- a/src/plugins/data/public/query/timefilter/lib/extract_time_filter.ts +++ b/packages/kbn-es-query/src/filters/helpers/extract_time_filter.ts @@ -6,10 +6,10 @@ * Side Public License, v 1. */ -import { Filter, isRangeFilter, RangeFilter } from '@kbn/es-query'; import { keys, partition } from 'lodash'; -import { TimeRange } from '../../../../common'; -import { convertRangeFilterToTimeRangeString } from './change_time_filter'; +import { Filter, isRangeFilter, RangeFilter } from '../build_filters'; +import { TimeRange } from './types'; +import { convertRangeFilterToTimeRangeString } from './convert_range_filter'; export function extractTimeFilter(timeFieldName: string, filters: Filter[]) { const [timeRangeFilter, restOfFilters] = partition(filters, (obj: Filter) => { diff --git a/packages/kbn-es-query/src/filters/helpers/index.ts b/packages/kbn-es-query/src/filters/helpers/index.ts index d94719ea46b27..815ae23dd3172 100644 --- a/packages/kbn-es-query/src/filters/helpers/index.ts +++ b/packages/kbn-es-query/src/filters/helpers/index.ts @@ -11,3 +11,6 @@ export * from './dedup_filters'; export * from './uniq_filters'; export * from './meta_filter'; export * from './only_disabled'; +export * from './extract_time_filter'; +export * from './convert_range_filter'; +export * from './types'; diff --git a/packages/kbn-es-query/src/filters/helpers/types.ts b/packages/kbn-es-query/src/filters/helpers/types.ts new file mode 100644 index 0000000000000..bfc08c55cc9b2 --- /dev/null +++ b/packages/kbn-es-query/src/filters/helpers/types.ts @@ -0,0 +1,14 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +// eslint-disable-next-line @typescript-eslint/consistent-type-definitions +export type TimeRange = { + from: string; + to: string; + mode?: 'absolute' | 'relative'; +}; diff --git a/packages/kbn-es-query/src/filters/index.ts b/packages/kbn-es-query/src/filters/index.ts index c202892cd9c3f..765a4a68d2aea 100644 --- a/packages/kbn-es-query/src/filters/index.ts +++ b/packages/kbn-es-query/src/filters/index.ts @@ -6,7 +6,8 @@ * Side Public License, v 1. */ -export type { FilterCompareOptions } from './helpers'; +export type { FilterCompareOptions, TimeRange } from './helpers'; + export { dedupFilters, uniqFilters, @@ -25,6 +26,9 @@ export { toggleFilterDisabled, toggleFilterPinned, unpinFilter, + extractTimeFilter, + extractTimeRange, + convertRangeFilterToTimeRange, } from './helpers'; export { diff --git a/packages/kbn-es-query/src/index.ts b/packages/kbn-es-query/src/index.ts index 02d54df995176..bde089d12e39b 100644 --- a/packages/kbn-es-query/src/index.ts +++ b/packages/kbn-es-query/src/index.ts @@ -34,6 +34,7 @@ export type { RangeFilterParams, ScriptedPhraseFilter, ScriptedRangeFilter, + TimeRange, } from './filters'; export type { @@ -96,6 +97,9 @@ export { toggleFilterPinned, uniqFilters, unpinFilter, + extractTimeFilter, + extractTimeRange, + convertRangeFilterToTimeRange, } from './filters'; export { diff --git a/packages/kbn-es/BUILD.bazel b/packages/kbn-es/BUILD.bazel index 2ea9c32858dd3..892cd43244de7 100644 --- a/packages/kbn-es/BUILD.bazel +++ b/packages/kbn-es/BUILD.bazel @@ -24,7 +24,6 @@ filegroup( NPM_MODULE_EXTRA_FILES = [ "package.json", - "README.md", ] RUNTIME_DEPS = [ diff --git a/packages/kbn-es/README.md b/packages/kbn-es/README.mdx similarity index 70% rename from packages/kbn-es/README.md rename to packages/kbn-es/README.mdx index 80850c9e6a09c..a5392504490fe 100644 --- a/packages/kbn-es/README.md +++ b/packages/kbn-es/README.mdx @@ -1,6 +1,13 @@ -# @kbn/es +--- +id: kibDevDocsOpsEs +slug: /kibana-dev-docs/ops/es +title: "@kbn/es" +description: A cli package for running elasticsearch or building snapshot artifacts +date: 2022-05-24 +tags: ['kibana', 'dev', 'contributor', 'operations', 'es'] +--- -> A command line utility for running elasticsearch from source or archive. +> A command line utility for running elasticsearch from snapshot, source, archive or even building snapshot artifacts. ## Getting started If running elasticsearch from source, elasticsearch needs to be cloned to a sibling directory of Kibana. @@ -71,41 +78,20 @@ To use these steps you'll need to setup the google-cloud-sdk, which can be insta 1. Clone the elasticsearch repo somewhere 2. Checkout the branch you want to build - 3. Run the following to delete old distributables + 3. Build the new artifacts ``` - find distribution/archives -type f \( -name 'elasticsearch-*-*.tar.gz' -o -name 'elasticsearch-*-*.zip' \) -not -path *no-jdk* -exec rm {} \; + node scripts/es build_snapshots --output=~/Downloads/tmp-artifacts --source-path=/path/to/es/repo ``` - 4. Build the new artifacts - - ``` - ./gradlew -p distribution/archives assemble --parallel - ``` - - 4. Copy new artifacts to your `~/Downloads/tmp-artifacts` - - ``` - rm -rf ~/Downloads/tmp-artifacts - mkdir ~/Downloads/tmp-artifacts - find distribution/archives -type f \( -name 'elasticsearch-*-*.tar.gz' -o -name 'elasticsearch-*-*.zip' \) -not -path *no-jdk* -exec cp {} ~/Downloads/tmp-artifacts \; - ``` - - 5. Calculate shasums of the uploads - - ``` - cd ~/Downloads/tmp-artifacts - find * -exec bash -c "shasum -a 512 {} > {}.sha512" \; - ``` - - 6. Check that the files in `~/Downloads/tmp-artifacts` look reasonable - 7. Upload the files to GCS + 4. Check that the files in `~/Downloads/tmp-artifacts` look reasonable + 5. Upload the files to GCS ``` gsutil -m rsync . gs://kibana-ci-tmp-artifacts/ ``` - 8. Once the artifacts are uploaded, modify `packages/kbn-es/src/custom_snapshots.js` in a PR to use a URL formatted like: + 6. Once the artifacts are uploaded, modify `packages/kbn-es/src/custom_snapshots.js` in a PR to use a URL formatted like: ``` // force use of manually created snapshots until ReindexPutMappings fix diff --git a/packages/kbn-es/src/cli_commands/build_snapshots.js b/packages/kbn-es/src/cli_commands/build_snapshots.js index 070f11b8b5f84..b4a15a0645cce 100644 --- a/packages/kbn-es/src/cli_commands/build_snapshots.js +++ b/packages/kbn-es/src/cli_commands/build_snapshots.js @@ -6,6 +6,7 @@ * Side Public License, v 1. */ +const dedent = require('dedent'); const { resolve, basename } = require('path'); const { createHash } = require('crypto'); const { promisify } = require('util'); @@ -21,7 +22,16 @@ const pipelineAsync = promisify(pipeline); exports.description = 'Build and collect ES snapshots'; -exports.help = () => ``; +exports.help = () => dedent` + Options: + + --output Path to create the built elasticsearch snapshots + --source-path Path where the elasticsearch repository is checked out + + Example: + + es build_snapshots --source-path=/path/to/es/checked/repo --output=/tmp/es-built-snapshots + `; exports.run = async (defaults = {}) => { const argv = process.argv.slice(2); diff --git a/packages/kbn-monaco/src/monaco_imports.ts b/packages/kbn-monaco/src/monaco_imports.ts index 3f689e6ec0c01..6a08c25b6347a 100644 --- a/packages/kbn-monaco/src/monaco_imports.ts +++ b/packages/kbn-monaco/src/monaco_imports.ts @@ -16,6 +16,7 @@ import 'monaco-editor/esm/vs/editor/browser/controller/coreCommands.js'; import 'monaco-editor/esm/vs/editor/browser/widget/codeEditorWidget.js'; import 'monaco-editor/esm/vs/editor/contrib/wordOperations/wordOperations.js'; // Needed for word-wise char navigation +import 'monaco-editor/esm/vs/editor/contrib/linesOperations/linesOperations.js'; // Needed for enabling shortcuts of removing/joining/moving lines import 'monaco-editor/esm/vs/editor/contrib/folding/folding.js'; // Needed for folding import 'monaco-editor/esm/vs/editor/contrib/suggest/suggestController.js'; // Needed for suggestions import 'monaco-editor/esm/vs/editor/contrib/hover/hover.js'; // Needed for hover diff --git a/packages/kbn-optimizer/limits.yml b/packages/kbn-optimizer/limits.yml index 41e404c905935..6e603698d053a 100644 --- a/packages/kbn-optimizer/limits.yml +++ b/packages/kbn-optimizer/limits.yml @@ -27,7 +27,7 @@ pageLoadAssetSize: indexLifecycleManagement: 107090 indexManagement: 140608 infra: 184320 - fleet: 95000 + fleet: 100000 ingestPipelines: 58003 inputControlVis: 172675 inspector: 148711 @@ -130,3 +130,4 @@ pageLoadAssetSize: synthetics: 40958 expressionXY: 34000 kibanaUsageCollection: 16463 + kubernetesSecurity: 77234 diff --git a/packages/kbn-test/jest-preset.js b/packages/kbn-test/jest-preset.js index fb535c2766cc4..0e13686cafeb8 100644 --- a/packages/kbn-test/jest-preset.js +++ b/packages/kbn-test/jest-preset.js @@ -45,7 +45,7 @@ module.exports = { '^(!!)?file-loader!': '/node_modules/@kbn/test/target_node/jest/mocks/file_mock.js', ...Object.fromEntries( Array.from(pkgMap.entries()).map(([pkgId, repoRelativeDir]) => [ - `^${pkgId}(/?.*)$`, + `^${pkgId}(/.*)?$`, `/${repoRelativeDir}$1`, ]) ), diff --git a/packages/kbn-test/src/es/test_es_cluster.ts b/packages/kbn-test/src/es/test_es_cluster.ts index a2cfbcf31c279..1eb48ca58d950 100644 --- a/packages/kbn-test/src/es/test_es_cluster.ts +++ b/packages/kbn-test/src/es/test_es_cluster.ts @@ -283,7 +283,7 @@ export function createTestEsCluster< } async stop() { - await Promise.all( + const results = await Promise.allSettled( this.nodes.map(async (node, i) => { log.info(`[es] stopping node ${nodes[i].name}`); await node.stop(); @@ -291,8 +291,22 @@ export function createTestEsCluster< ); log.info('[es] stopped'); - await this.captureDebugFiles(); + this.handleStopResults(results); + } + + private handleStopResults(results: Array>) { + const failures = results.flatMap((r) => (r.status === 'rejected' ? r : [])); + if (failures.length === 1) { + throw failures[0].reason; + } + if (failures.length > 1) { + throw new Error( + `${failures.length} nodes failed:\n - ${failures + .map((f) => f.reason.message) + .join('\n - ')}` + ); + } } async captureDebugFiles() { @@ -340,7 +354,7 @@ export function createTestEsCluster< async cleanup() { log.info('[es] killing', this.nodes.length === 1 ? 'node' : `${this.nodes.length} nodes`); - await Promise.all( + const results = await Promise.allSettled( this.nodes.map(async (node, i) => { log.info(`[es] stopping node ${nodes[i].name}`); // we are deleting this install, stop ES more aggressively @@ -351,6 +365,7 @@ export function createTestEsCluster< await this.captureDebugFiles(); await del(config.installPath, { force: true }); log.info('[es] cleanup complete'); + this.handleStopResults(results); } /** diff --git a/scripts/synthtrace.js b/scripts/synthtrace.js new file mode 100644 index 0000000000000..5f91d5ef1e2b1 --- /dev/null +++ b/scripts/synthtrace.js @@ -0,0 +1,10 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +require('../src/setup_node_env/node_version_validator'); +require('@elastic/apm-synthtrace/bin/synthtrace'); diff --git a/src/core/public/analytics/analytics_service.ts b/src/core/public/analytics/analytics_service.ts index f1c00b293808b..b774109e79d61 100644 --- a/src/core/public/analytics/analytics_service.ts +++ b/src/core/public/analytics/analytics_service.ts @@ -6,12 +6,12 @@ * Side Public License, v 1. */ +import { of } from 'rxjs'; import type { AnalyticsClient } from '@kbn/analytics-client'; import { createAnalytics } from '@kbn/analytics-client'; -import { of } from 'rxjs'; +import type { CoreContext } from '@kbn/core-base-browser-internal'; +import type { InternalInjectedMetadataSetup } from '@kbn/core-injected-metadata-browser-internal'; import { trackClicks } from './track_clicks'; -import { InjectedMetadataSetup } from '../injected_metadata'; -import { CoreContext } from '../core_system'; import { getSessionId } from './get_session_id'; import { createLogger } from './logger'; @@ -33,7 +33,7 @@ export type AnalyticsServiceStart = Pick< /** @internal */ export interface AnalyticsServiceSetupDeps { - injectedMetadata: InjectedMetadataSetup; + injectedMetadata: InternalInjectedMetadataSetup; } export class AnalyticsService { @@ -173,7 +173,7 @@ export class AnalyticsService { * @param injectedMetadata The injected metadata service. * @private */ - private registerElasticsearchInfoContext(injectedMetadata: InjectedMetadataSetup) { + private registerElasticsearchInfoContext(injectedMetadata: InternalInjectedMetadataSetup) { this.analyticsClient.registerContextProvider({ name: 'elasticsearch info', context$: of(injectedMetadata.getElasticsearchInfo()), diff --git a/src/core/public/chrome/chrome_service.test.ts b/src/core/public/chrome/chrome_service.test.ts index dbdc867ea33b3..664b6a3ee1617 100644 --- a/src/core/public/chrome/chrome_service.test.ts +++ b/src/core/public/chrome/chrome_service.test.ts @@ -10,11 +10,11 @@ import { shallow } from 'enzyme'; import React from 'react'; import * as Rx from 'rxjs'; import { toArray } from 'rxjs/operators'; +import { injectedMetadataServiceMock } from '@kbn/core-injected-metadata-browser-mocks'; import { App, PublicAppInfo } from '../application'; import { applicationServiceMock } from '../application/application_service.mock'; import { docLinksServiceMock } from '../doc_links/doc_links_service.mock'; import { httpServiceMock } from '../http/http_service.mock'; -import { injectedMetadataServiceMock } from '../injected_metadata/injected_metadata_service.mock'; import { notificationServiceMock } from '../notifications/notifications_service.mock'; import { uiSettingsServiceMock } from '../ui_settings/ui_settings_service.mock'; import { ChromeService } from './chrome_service'; diff --git a/src/core/public/chrome/chrome_service.tsx b/src/core/public/chrome/chrome_service.tsx index a9678613b5fd0..f631819b26e4e 100644 --- a/src/core/public/chrome/chrome_service.tsx +++ b/src/core/public/chrome/chrome_service.tsx @@ -12,11 +12,11 @@ import { BehaviorSubject, combineLatest, merge, Observable, of, ReplaySubject } import { flatMap, map, takeUntil } from 'rxjs/operators'; import { parse } from 'url'; import { EuiLink } from '@elastic/eui'; +import type { InternalInjectedMetadataStart } from '@kbn/core-injected-metadata-browser-internal'; import { mountReactNode } from '../utils/mount'; import { InternalApplicationStart } from '../application'; import { DocLinksStart } from '../doc_links'; import { HttpStart } from '../http'; -import { InjectedMetadataStart } from '../injected_metadata'; import { NotificationsStart } from '../notifications'; import { KIBANA_ASK_ELASTIC_LINK } from './constants'; import { ChromeDocTitle, DocTitleService } from './doc_title'; @@ -47,7 +47,7 @@ export interface StartDeps { application: InternalApplicationStart; docLinks: DocLinksStart; http: HttpStart; - injectedMetadata: InjectedMetadataStart; + injectedMetadata: InternalInjectedMetadataStart; notifications: NotificationsStart; } diff --git a/src/core/public/core_app/core_app.ts b/src/core/public/core_app/core_app.ts index 648677e67e1cf..5c328096c36f2 100644 --- a/src/core/public/core_app/core_app.ts +++ b/src/core/public/core_app/core_app.ts @@ -7,6 +7,8 @@ */ import { UnregisterCallback } from 'history'; +import type { CoreContext } from '@kbn/core-base-browser-internal'; +import type { InternalInjectedMetadataSetup } from '@kbn/core-injected-metadata-browser-internal'; import { InternalApplicationSetup, InternalApplicationStart, @@ -14,10 +16,8 @@ import { AppMountParameters, } from '../application'; import type { HttpSetup, HttpStart } from '../http'; -import type { CoreContext } from '../core_system'; import type { NotificationsSetup, NotificationsStart } from '../notifications'; import type { IUiSettingsClient } from '../ui_settings'; -import type { InjectedMetadataSetup } from '../injected_metadata'; import { renderApp as renderErrorApp, setupPublicBaseUrlConfigWarning, @@ -29,7 +29,7 @@ import { DocLinksStart } from '../doc_links'; export interface SetupDeps { application: InternalApplicationSetup; http: HttpSetup; - injectedMetadata: InjectedMetadataSetup; + injectedMetadata: InternalInjectedMetadataSetup; notifications: NotificationsSetup; } diff --git a/src/core/public/core_system.test.mocks.ts b/src/core/public/core_system.test.mocks.ts index ff24cc8839794..b0accbcd3df70 100644 --- a/src/core/public/core_system.test.mocks.ts +++ b/src/core/public/core_system.test.mocks.ts @@ -6,12 +6,12 @@ * Side Public License, v 1. */ +import { injectedMetadataServiceMock } from '@kbn/core-injected-metadata-browser-mocks'; import { applicationServiceMock } from './application/application_service.mock'; import { chromeServiceMock } from './chrome/chrome_service.mock'; import { fatalErrorsServiceMock } from './fatal_errors/fatal_errors_service.mock'; import { httpServiceMock } from './http/http_service.mock'; import { i18nServiceMock } from './i18n/i18n_service.mock'; -import { injectedMetadataServiceMock } from './injected_metadata/injected_metadata_service.mock'; import { notificationServiceMock } from './notifications/notifications_service.mock'; import { overlayServiceMock } from './overlays/overlay_service.mock'; import { pluginsServiceMock } from './plugins/plugins_service.mock'; @@ -40,7 +40,7 @@ export const MockInjectedMetadataService = injectedMetadataServiceMock.create(); export const InjectedMetadataServiceConstructor = jest .fn() .mockImplementation(() => MockInjectedMetadataService); -jest.doMock('./injected_metadata', () => ({ +jest.doMock('@kbn/core-injected-metadata-browser-internal', () => ({ InjectedMetadataService: InjectedMetadataServiceConstructor, })); diff --git a/src/core/public/core_system.ts b/src/core/public/core_system.ts index 9ea1f16f7f226..cf2840eb4f0ad 100644 --- a/src/core/public/core_system.ts +++ b/src/core/public/core_system.ts @@ -5,19 +5,19 @@ * in compliance with, at your election, the Elastic License 2.0 or the Server * Side Public License, v 1. */ -import { CoreId } from '../server'; -import { PackageInfo, EnvironmentMode } from '../server/types'; + +import type { CoreContext } from '@kbn/core-base-browser-internal'; +import { + InjectedMetadataService, + InjectedMetadataParams, + InternalInjectedMetadataSetup, + InternalInjectedMetadataStart, +} from '@kbn/core-injected-metadata-browser-internal'; import { CoreSetup, CoreStart } from '.'; import { ChromeService } from './chrome'; import { FatalErrorsService, FatalErrorsSetup } from './fatal_errors'; import { HttpService } from './http'; import { I18nService } from './i18n'; -import { - InjectedMetadataParams, - InjectedMetadataService, - InjectedMetadataSetup, - InjectedMetadataStart, -} from './injected_metadata'; import { NotificationsService } from './notifications'; import { OverlayService } from './overlays'; import { PluginsService } from './plugins'; @@ -42,25 +42,16 @@ interface Params { injectedMetadata: InjectedMetadataParams['injectedMetadata']; } -/** @internal */ -export interface CoreContext { - coreId: CoreId; - env: { - mode: Readonly; - packageInfo: Readonly; - }; -} - /** @internal */ export interface InternalCoreSetup extends Omit { application: InternalApplicationSetup; - injectedMetadata: InjectedMetadataSetup; + injectedMetadata: InternalInjectedMetadataSetup; } /** @internal */ export interface InternalCoreStart extends Omit { application: InternalApplicationStart; - injectedMetadata: InjectedMetadataStart; + injectedMetadata: InternalInjectedMetadataStart; } /** diff --git a/src/core/public/deprecations/deprecations_service.ts b/src/core/public/deprecations/deprecations_service.ts index d06e0071d2bc7..f538296e027a7 100644 --- a/src/core/public/deprecations/deprecations_service.ts +++ b/src/core/public/deprecations/deprecations_service.ts @@ -6,7 +6,7 @@ * Side Public License, v 1. */ -import type { CoreService } from '../../types'; +import type { CoreService } from '@kbn/core-base-browser-internal'; import type { HttpStart } from '../http'; import { DeprecationsClient, ResolveDeprecationResponse } from './deprecations_client'; import type { DomainDeprecationDetails } from '../../server/types'; diff --git a/src/core/public/doc_links/doc_links_service.mock.ts b/src/core/public/doc_links/doc_links_service.mock.ts index a4dd00eec84cc..b88007d68ba17 100644 --- a/src/core/public/doc_links/doc_links_service.mock.ts +++ b/src/core/public/doc_links/doc_links_service.mock.ts @@ -7,7 +7,7 @@ */ import type { PublicMethodsOf } from '@kbn/utility-types'; -import { injectedMetadataServiceMock } from '../injected_metadata/injected_metadata_service.mock'; +import { injectedMetadataServiceMock } from '@kbn/core-injected-metadata-browser-mocks'; import { DocLinksService, DocLinksStart } from './doc_links_service'; const createStartContractMock = (): DocLinksStart => { diff --git a/src/core/public/doc_links/doc_links_service.test.ts b/src/core/public/doc_links/doc_links_service.test.ts index 9ddb0fc884b9b..b30082e62c653 100644 --- a/src/core/public/doc_links/doc_links_service.test.ts +++ b/src/core/public/doc_links/doc_links_service.test.ts @@ -8,7 +8,7 @@ import { getDocLinksMock, getDocLinksMetaMock } from './doc_links_service.test.mocks'; import { DocLinksService } from './doc_links_service'; -import { injectedMetadataServiceMock } from '../injected_metadata/injected_metadata_service.mock'; +import { injectedMetadataServiceMock } from '@kbn/core-injected-metadata-browser-mocks'; describe('DocLinksService', () => { let injectedMetadata: ReturnType; diff --git a/src/core/public/doc_links/doc_links_service.ts b/src/core/public/doc_links/doc_links_service.ts index 09f997028e6d8..7da4737c0d5e1 100644 --- a/src/core/public/doc_links/doc_links_service.ts +++ b/src/core/public/doc_links/doc_links_service.ts @@ -8,10 +8,10 @@ import { getDocLinks, getDocLinksMeta } from '@kbn/doc-links'; import type { DocLinks } from '@kbn/doc-links'; -import { InjectedMetadataSetup } from '../injected_metadata'; +import type { InternalInjectedMetadataSetup } from '@kbn/core-injected-metadata-browser-internal'; export interface StartDeps { - injectedMetadata: InjectedMetadataSetup; + injectedMetadata: InternalInjectedMetadataSetup; } /** @internal */ diff --git a/src/core/public/execution_context/execution_context_service.ts b/src/core/public/execution_context/execution_context_service.ts index c8d198b9c84f8..045be76a43cf0 100644 --- a/src/core/public/execution_context/execution_context_service.ts +++ b/src/core/public/execution_context/execution_context_service.ts @@ -8,8 +8,9 @@ import { compact, isEqual, isUndefined, omitBy } from 'lodash'; import { BehaviorSubject, Observable, Subscription, map } from 'rxjs'; +import type { CoreService } from '@kbn/core-base-browser-internal'; import { AnalyticsServiceSetup } from '../analytics'; -import { CoreService, KibanaExecutionContext } from '../../types'; +import { KibanaExecutionContext } from '../../types'; // Should be exported from elastic/apm-rum export type LabelValue = string | number | boolean; diff --git a/src/core/public/fatal_errors/fatal_errors_service.test.ts b/src/core/public/fatal_errors/fatal_errors_service.test.ts index 4b243979c8e4d..f95b036c36df3 100644 --- a/src/core/public/fatal_errors/fatal_errors_service.test.ts +++ b/src/core/public/fatal_errors/fatal_errors_service.test.ts @@ -14,7 +14,7 @@ expect.addSnapshotSerializer({ }); import { mockRender } from './fatal_errors_service.test.mocks'; -import { injectedMetadataServiceMock } from '../injected_metadata/injected_metadata_service.mock'; +import { injectedMetadataServiceMock } from '@kbn/core-injected-metadata-browser-mocks'; import { themeServiceMock } from '../theme/theme_service.mock'; import { FatalErrorsService } from './fatal_errors_service'; diff --git a/src/core/public/fatal_errors/fatal_errors_service.tsx b/src/core/public/fatal_errors/fatal_errors_service.tsx index 0e72b99bc6b92..36d5ebf5c02e9 100644 --- a/src/core/public/fatal_errors/fatal_errors_service.tsx +++ b/src/core/public/fatal_errors/fatal_errors_service.tsx @@ -11,8 +11,8 @@ import { render } from 'react-dom'; import * as Rx from 'rxjs'; import { first, tap } from 'rxjs/operators'; +import type { InternalInjectedMetadataSetup } from '@kbn/core-injected-metadata-browser-internal'; import { I18nStart } from '../i18n'; -import { InjectedMetadataSetup } from '../injected_metadata'; import { ThemeServiceSetup } from '../theme'; import { CoreContextProvider } from '../utils'; import { FatalErrorsScreen } from './fatal_errors_screen'; @@ -21,7 +21,7 @@ import { FatalErrorInfo, getErrorInfo } from './get_error_info'; export interface Deps { i18n: I18nStart; theme: ThemeServiceSetup; - injectedMetadata: InjectedMetadataSetup; + injectedMetadata: InternalInjectedMetadataSetup; } /** diff --git a/src/core/public/http/anonymous_paths_service.ts b/src/core/public/http/anonymous_paths_service.ts index 4aae7460815b6..f3b47ab0eda30 100644 --- a/src/core/public/http/anonymous_paths_service.ts +++ b/src/core/public/http/anonymous_paths_service.ts @@ -6,8 +6,8 @@ * Side Public License, v 1. */ +import type { CoreService } from '@kbn/core-base-browser-internal'; import { IAnonymousPaths, IBasePath } from '..'; -import { CoreService } from '../../types'; interface Deps { basePath: IBasePath; diff --git a/src/core/public/http/external_url_service.ts b/src/core/public/http/external_url_service.ts index ffc2d9ec89be3..0e5994a253ace 100644 --- a/src/core/public/http/external_url_service.ts +++ b/src/core/public/http/external_url_service.ts @@ -6,16 +6,15 @@ * Side Public License, v 1. */ +import type { CoreService } from '@kbn/core-base-browser-internal'; +import type { InternalInjectedMetadataSetup } from '@kbn/core-injected-metadata-browser-internal'; import { IExternalUrlPolicy } from '../../server/types'; - -import { CoreService } from '../../types'; import { IExternalUrl } from './types'; -import { InjectedMetadataSetup } from '../injected_metadata'; import { Sha256 } from '../utils'; interface SetupDeps { location: Pick; - injectedMetadata: InjectedMetadataSetup; + injectedMetadata: InternalInjectedMetadataSetup; } function* getHostHashes(actualHost: string) { diff --git a/src/core/public/http/http_service.test.ts b/src/core/public/http/http_service.test.ts index 698fa876433d4..af6e2343d5f8a 100644 --- a/src/core/public/http/http_service.test.ts +++ b/src/core/public/http/http_service.test.ts @@ -11,7 +11,7 @@ import fetchMock from 'fetch-mock/es5/client'; import { loadingServiceMock } from './http_service.test.mocks'; import { fatalErrorsServiceMock } from '../fatal_errors/fatal_errors_service.mock'; -import { injectedMetadataServiceMock } from '../injected_metadata/injected_metadata_service.mock'; +import { injectedMetadataServiceMock } from '@kbn/core-injected-metadata-browser-mocks'; import { HttpService } from './http_service'; import { Observable } from 'rxjs'; import { executionContextServiceMock } from '../execution_context/execution_context_service.mock'; diff --git a/src/core/public/http/http_service.ts b/src/core/public/http/http_service.ts index 390130da4e07d..4507b808e5a4a 100644 --- a/src/core/public/http/http_service.ts +++ b/src/core/public/http/http_service.ts @@ -6,19 +6,19 @@ * Side Public License, v 1. */ +import type { CoreService } from '@kbn/core-base-browser-internal'; +import type { InternalInjectedMetadataSetup } from '@kbn/core-injected-metadata-browser-internal'; import { HttpSetup, HttpStart } from './types'; -import { InjectedMetadataSetup } from '../injected_metadata'; import { FatalErrorsSetup } from '../fatal_errors'; import { BasePath } from './base_path'; import { AnonymousPathsService } from './anonymous_paths_service'; import { LoadingCountService } from './loading_count_service'; import { Fetch } from './fetch'; -import { CoreService } from '../../types'; import { ExternalUrlService } from './external_url_service'; import { ExecutionContextSetup } from '../execution_context'; interface HttpDeps { - injectedMetadata: InjectedMetadataSetup; + injectedMetadata: InternalInjectedMetadataSetup; fatalErrors: FatalErrorsSetup; executionContext: ExecutionContextSetup; } diff --git a/src/core/public/http/loading_count_service.ts b/src/core/public/http/loading_count_service.ts index ccbb3e33ca224..c2ae7433b82c4 100644 --- a/src/core/public/http/loading_count_service.ts +++ b/src/core/public/http/loading_count_service.ts @@ -16,8 +16,8 @@ import { takeUntil, tap, } from 'rxjs/operators'; +import type { CoreService } from '@kbn/core-base-browser-internal'; import { FatalErrorsSetup } from '../fatal_errors'; -import { CoreService } from '../../types'; /** @public */ export interface LoadingCountSetup { diff --git a/src/core/public/index.ts b/src/core/public/index.ts index 8c2a614b5f661..21003b17928dd 100644 --- a/src/core/public/index.ts +++ b/src/core/public/index.ts @@ -26,6 +26,10 @@ import './index.scss'; +import type { + InjectedMetadataSetup, + InjectedMetadataStart, +} from '@kbn/core-injected-metadata-browser'; import { ChromeBadge, ChromeBreadcrumb, @@ -69,7 +73,8 @@ export type { IExternalUrlPolicy, DomainDeprecationDetails, } from '../server/types'; -export type { CoreContext, CoreSystem } from './core_system'; +export type { CoreContext } from '@kbn/core-base-browser-internal'; +export type { CoreSystem } from './core_system'; export { DEFAULT_APP_CATEGORIES, APP_WRAPPER_CLASS } from '../utils'; export type { AppCategory, UiSettingsParams, UserProvidedValues, UiSettingsType } from '../types'; @@ -242,16 +247,8 @@ export interface CoreSetup unknown; - }; + /** {@link InjectedMetadataSetup} */ + injectedMetadata: InjectedMetadataSetup; /** {@link ThemeServiceSetup} */ theme: ThemeServiceSetup; /** {@link StartServicesAccessor} */ @@ -308,16 +305,8 @@ export interface CoreStart { deprecations: DeprecationsServiceStart; /** {@link ThemeServiceStart} */ theme: ThemeServiceStart; - /** - * exposed temporarily until https://github.com/elastic/kibana/issues/41990 done - * use *only* to retrieve config values. There is no way to set injected values - * in the new platform. - * @deprecated - * @removeBy 8.8.0 - * */ - injectedMetadata: { - getInjectedVar: (name: string, defaultValue?: any) => unknown; - }; + /** {@link InjectedMetadataStart} */ + injectedMetadata: InjectedMetadataStart; } export type { diff --git a/src/core/public/injected_metadata/injected_metadata_service.ts b/src/core/public/injected_metadata/injected_metadata_service.ts deleted file mode 100644 index 2e19da5c2cffe..0000000000000 --- a/src/core/public/injected_metadata/injected_metadata_service.ts +++ /dev/null @@ -1,202 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { get } from 'lodash'; -import { deepFreeze } from '@kbn/std'; -import type { ThemeVersion } from '@kbn/ui-shared-deps-npm'; -import { DiscoveredPlugin, PluginName } from '../../server'; -import { - EnvironmentMode, - IExternalUrlPolicy, - PackageInfo, - UiSettingsParams, - UserProvidedValues, -} from '../../server/types'; -import { AppCategory } from '..'; - -export interface InjectedPluginMetadata { - id: PluginName; - plugin: DiscoveredPlugin; - config?: { - [key: string]: unknown; - }; -} - -export interface InjectedMetadataClusterInfo { - cluster_uuid?: string; - cluster_name?: string; - cluster_version?: string; -} - -/** @internal */ -export interface InjectedMetadataParams { - injectedMetadata: { - version: string; - buildNumber: number; - branch: string; - basePath: string; - serverBasePath: string; - publicBaseUrl: string; - clusterInfo: InjectedMetadataClusterInfo; - category?: AppCategory; - csp: { - warnLegacyBrowsers: boolean; - }; - externalUrl: { - policy: IExternalUrlPolicy[]; - }; - vars: { - [key: string]: unknown; - }; - theme: { - darkMode: boolean; - version: ThemeVersion; - }; - env: { - mode: Readonly; - packageInfo: Readonly; - }; - uiPlugins: InjectedPluginMetadata[]; - anonymousStatusPage: boolean; - legacyMetadata: { - uiSettings: { - defaults: Record; - user?: Record; - }; - }; - }; -} - -/** - * Provides access to the metadata that is injected by the - * server into the page. The metadata is actually defined - * in the entry file for the bundle containing the new platform - * and is read from the DOM in most cases. - * - * @internal - */ -export class InjectedMetadataService { - private state: InjectedMetadataParams['injectedMetadata']; - - constructor(private readonly params: InjectedMetadataParams) { - this.state = deepFreeze( - this.params.injectedMetadata - ) as InjectedMetadataParams['injectedMetadata']; - } - - public start(): InjectedMetadataStart { - return this.setup(); - } - - public setup(): InjectedMetadataSetup { - return { - getBasePath: () => { - return this.state.basePath; - }, - - getServerBasePath: () => { - return this.state.serverBasePath; - }, - - getPublicBaseUrl: () => { - return this.state.publicBaseUrl; - }, - - getAnonymousStatusPage: () => { - return this.state.anonymousStatusPage; - }, - - getKibanaVersion: () => { - return this.state.version; - }, - - getCspConfig: () => { - return this.state.csp; - }, - - getExternalUrlConfig: () => { - return this.state.externalUrl; - }, - - getPlugins: () => { - return this.state.uiPlugins; - }, - - getLegacyMetadata: () => { - return this.state.legacyMetadata; - }, - - getInjectedVar: (name: string, defaultValue?: any): unknown => { - return get(this.state.vars, name, defaultValue); - }, - - getInjectedVars: () => { - return this.state.vars; - }, - - getKibanaBuildNumber: () => { - return this.state.buildNumber; - }, - - getKibanaBranch: () => { - return this.state.branch; - }, - - getTheme: () => { - return this.state.theme; - }, - - getElasticsearchInfo: () => { - return this.state.clusterInfo; - }, - }; - } -} - -/** - * Provides access to the metadata injected by the server into the page - * - * @internal - */ -export interface InjectedMetadataSetup { - getBasePath: () => string; - getServerBasePath: () => string; - getPublicBaseUrl: () => string; - getKibanaBuildNumber: () => number; - getKibanaBranch: () => string; - getKibanaVersion: () => string; - getCspConfig: () => { - warnLegacyBrowsers: boolean; - }; - getExternalUrlConfig: () => { - policy: IExternalUrlPolicy[]; - }; - getTheme: () => { - darkMode: boolean; - version: ThemeVersion; - }; - getElasticsearchInfo: () => InjectedMetadataClusterInfo; - /** - * An array of frontend plugins in topological order. - */ - getPlugins: () => InjectedPluginMetadata[]; - getAnonymousStatusPage: () => boolean; - getLegacyMetadata: () => { - uiSettings: { - defaults: Record; - user?: Record | undefined; - }; - }; - getInjectedVar: (name: string, defaultValue?: any) => unknown; - getInjectedVars: () => { - [key: string]: unknown; - }; -} - -/** @internal */ -export type InjectedMetadataStart = InjectedMetadataSetup; diff --git a/src/core/public/integrations/integrations_service.test.mocks.ts b/src/core/public/integrations/integrations_service.test.mocks.ts index 341d13b3149fb..9e9bf29cde635 100644 --- a/src/core/public/integrations/integrations_service.test.mocks.ts +++ b/src/core/public/integrations/integrations_service.test.mocks.ts @@ -6,7 +6,7 @@ * Side Public License, v 1. */ -import { CoreService } from '../../types'; +import type { CoreService } from '@kbn/core-base-browser-internal'; const createCoreServiceMock = (): jest.Mocked => { return { diff --git a/src/core/public/integrations/integrations_service.ts b/src/core/public/integrations/integrations_service.ts index 7c52205022440..e03546998ba7e 100644 --- a/src/core/public/integrations/integrations_service.ts +++ b/src/core/public/integrations/integrations_service.ts @@ -6,8 +6,8 @@ * Side Public License, v 1. */ +import type { CoreService } from '@kbn/core-base-browser-internal'; import { IUiSettingsClient } from '../ui_settings'; -import { CoreService } from '../../types'; import { MomentService } from './moment'; import { StylesService } from './styles'; diff --git a/src/core/public/integrations/moment/moment_service.ts b/src/core/public/integrations/moment/moment_service.ts index 5efd3852be214..0f58c8d7fb19f 100644 --- a/src/core/public/integrations/moment/moment_service.ts +++ b/src/core/public/integrations/moment/moment_service.ts @@ -8,10 +8,10 @@ import moment from 'moment-timezone'; import { merge, Subscription } from 'rxjs'; - import { tap } from 'rxjs/operators'; + +import type { CoreService } from '@kbn/core-base-browser-internal'; import { IUiSettingsClient } from '../../ui_settings'; -import { CoreService } from '../../../types'; interface StartDeps { uiSettings: IUiSettingsClient; diff --git a/src/core/public/integrations/styles/styles_service.ts b/src/core/public/integrations/styles/styles_service.ts index 4c5df366e5a99..3e8f02739a8d0 100644 --- a/src/core/public/integrations/styles/styles_service.ts +++ b/src/core/public/integrations/styles/styles_service.ts @@ -8,8 +8,8 @@ import { Subscription } from 'rxjs'; +import type { CoreService } from '@kbn/core-base-browser-internal'; import { IUiSettingsClient } from '../../ui_settings'; -import { CoreService } from '../../../types'; // @ts-expect-error import disableAnimationsCss from '!!raw-loader!./disable_animations.css'; diff --git a/src/core/public/mocks.ts b/src/core/public/mocks.ts index c755c6626de01..38ae84c59c095 100644 --- a/src/core/public/mocks.ts +++ b/src/core/public/mocks.ts @@ -7,9 +7,11 @@ */ import { createMemoryHistory } from 'history'; +import type { CoreContext } from '@kbn/core-base-browser-internal'; +import { injectedMetadataServiceMock } from '@kbn/core-injected-metadata-browser-mocks'; // Only import types from '.' to avoid triggering default Jest mocks. -import { CoreContext, PluginInitializerContext, AppMountParameters } from '.'; +import { PluginInitializerContext, AppMountParameters } from '.'; // Import values from their individual modules instead. import { ScopedHistory } from './application'; @@ -24,11 +26,11 @@ import { notificationServiceMock } from './notifications/notifications_service.m import { overlayServiceMock } from './overlays/overlay_service.mock'; import { uiSettingsServiceMock } from './ui_settings/ui_settings_service.mock'; import { savedObjectsServiceMock } from './saved_objects/saved_objects_service.mock'; -import { injectedMetadataServiceMock } from './injected_metadata/injected_metadata_service.mock'; import { deprecationsServiceMock } from './deprecations/deprecations_service.mock'; import { themeServiceMock } from './theme/theme_service.mock'; import { executionContextServiceMock } from './execution_context/execution_context_service.mock'; +export { injectedMetadataServiceMock } from '@kbn/core-injected-metadata-browser-mocks'; export { chromeServiceMock } from './chrome/chrome_service.mock'; export { docLinksServiceMock } from './doc_links/doc_links_service.mock'; export { executionContextServiceMock } from './execution_context/execution_context_service.mock'; @@ -36,7 +38,6 @@ export { analyticsServiceMock } from './analytics/analytics_service.mock'; export { fatalErrorsServiceMock } from './fatal_errors/fatal_errors_service.mock'; export { httpServiceMock } from './http/http_service.mock'; export { i18nServiceMock } from './i18n/i18n_service.mock'; -export { injectedMetadataServiceMock } from './injected_metadata/injected_metadata_service.mock'; export { notificationServiceMock } from './notifications/notifications_service.mock'; export { overlayServiceMock } from './overlays/overlay_service.mock'; export { uiSettingsServiceMock } from './ui_settings/ui_settings_service.mock'; diff --git a/src/core/public/plugins/plugin_context.ts b/src/core/public/plugins/plugin_context.ts index 7d288799a34c3..13695b2310f50 100644 --- a/src/core/public/plugins/plugin_context.ts +++ b/src/core/public/plugins/plugin_context.ts @@ -7,9 +7,9 @@ */ import { omit } from 'lodash'; +import type { CoreContext } from '@kbn/core-base-browser-internal'; import { DiscoveredPlugin } from '../../server'; import { PluginOpaqueId, PackageInfo, EnvironmentMode } from '../../server/types'; -import { CoreContext } from '../core_system'; import { PluginWrapper } from './plugin'; import { PluginsServiceSetupDeps, PluginsServiceStartDeps } from './plugins_service'; import { CoreSetup, CoreStart } from '..'; diff --git a/src/core/public/plugins/plugins_service.test.ts b/src/core/public/plugins/plugins_service.test.ts index c8438a03fcec7..6531e38e3196a 100644 --- a/src/core/public/plugins/plugins_service.test.ts +++ b/src/core/public/plugins/plugins_service.test.ts @@ -21,7 +21,7 @@ import { PluginsServiceSetupDeps, } from './plugins_service'; -import { InjectedPluginMetadata } from '../injected_metadata'; +import type { InjectedMetadataPlugin } from '@kbn/core-injected-metadata-common-internal'; import { notificationServiceMock } from '../notifications/notifications_service.mock'; import { applicationServiceMock } from '../application/application_service.mock'; import { i18nServiceMock } from '../i18n/i18n_service.mock'; @@ -29,7 +29,7 @@ import { overlayServiceMock } from '../overlays/overlay_service.mock'; import { chromeServiceMock } from '../chrome/chrome_service.mock'; import { fatalErrorsServiceMock } from '../fatal_errors/fatal_errors_service.mock'; import { uiSettingsServiceMock } from '../ui_settings/ui_settings_service.mock'; -import { injectedMetadataServiceMock } from '../injected_metadata/injected_metadata_service.mock'; +import { injectedMetadataServiceMock } from '@kbn/core-injected-metadata-browser-mocks'; import { httpServiceMock } from '../http/http_service.mock'; import { CoreSetup, CoreStart, PluginInitializerContext } from '..'; import { docLinksServiceMock } from '../doc_links/doc_links_service.mock'; @@ -45,7 +45,7 @@ mockPluginInitializerProvider.mockImplementation( (pluginName) => mockPluginInitializers.get(pluginName)! ); -let plugins: InjectedPluginMetadata[]; +let plugins: InjectedMetadataPlugin[]; type DeeplyMocked = { [P in keyof T]: jest.Mocked }; diff --git a/src/core/public/plugins/plugins_service.ts b/src/core/public/plugins/plugins_service.ts index 51af5a831d44b..dc0a77d096ff4 100644 --- a/src/core/public/plugins/plugins_service.ts +++ b/src/core/public/plugins/plugins_service.ts @@ -6,9 +6,9 @@ * Side Public License, v 1. */ -import { PluginName, PluginOpaqueId } from '../../server'; -import { CoreService } from '../../types'; -import { CoreContext } from '../core_system'; +import type { CoreService, CoreContext } from '@kbn/core-base-browser-internal'; +import type { PluginName, PluginOpaqueId } from '@kbn/core-base-common'; +import type { InjectedMetadataPlugin } from '@kbn/core-injected-metadata-common-internal'; import { PluginWrapper } from './plugin'; import { createPluginInitializerContext, @@ -16,7 +16,6 @@ import { createPluginStartContext, } from './plugin_context'; import { InternalCoreSetup, InternalCoreStart } from '../core_system'; -import { InjectedPluginMetadata } from '../injected_metadata'; /** @internal */ export type PluginsServiceSetupDeps = InternalCoreSetup; @@ -27,6 +26,7 @@ export type PluginsServiceStartDeps = InternalCoreStart; export interface PluginsServiceSetup { contracts: ReadonlyMap; } + /** @internal */ export interface PluginsServiceStart { contracts: ReadonlyMap; @@ -45,7 +45,7 @@ export class PluginsService implements CoreService(plugins.map((p) => [p.id, Symbol(p.id)])); diff --git a/src/core/public/public.api.md b/src/core/public/public.api.md index 4f983b79b8292..e655ccc210303 100644 --- a/src/core/public/public.api.md +++ b/src/core/public/public.api.md @@ -9,8 +9,8 @@ import { Action } from 'history'; import { AnalyticsClient } from '@kbn/analytics-client'; import type { ButtonColor } from '@elastic/eui'; -import { ConfigPath } from '@kbn/config'; import { ContextProviderOpts } from '@kbn/analytics-client'; +import { CoreContext } from '@kbn/core-base-browser-internal'; import type { DocLinks } from '@kbn/doc-links'; import { EnvironmentMode } from '@kbn/config'; import * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; @@ -27,6 +27,9 @@ import { EventTypeOpts } from '@kbn/analytics-client'; import { History as History_2 } from 'history'; import { Href } from 'history'; import { IconType } from '@elastic/eui'; +import { InjectedMetadataParams } from '@kbn/core-injected-metadata-browser-internal'; +import type { InjectedMetadataSetup } from '@kbn/core-injected-metadata-browser'; +import type { InjectedMetadataStart } from '@kbn/core-injected-metadata-browser'; import { IShipper } from '@kbn/analytics-client'; import { Location as Location_2 } from 'history'; import { LocationDescriptorObject } from 'history'; @@ -35,13 +38,13 @@ import { Observable } from 'rxjs'; import { OptInConfig } from '@kbn/analytics-client'; import { PackageInfo } from '@kbn/config'; import { Path } from 'history'; +import { PluginOpaqueId } from '@kbn/core-base-common'; import { default as React_2 } from 'react'; import { RecursiveReadonly } from '@kbn/utility-types'; import * as Rx from 'rxjs'; import { ShipperClassConstructor } from '@kbn/analytics-client'; import { TelemetryCounter } from '@kbn/analytics-client'; import { TelemetryCounterType } from '@kbn/analytics-client'; -import type { ThemeVersion } from '@kbn/ui-shared-deps-npm'; import { TransitionPromptHook } from 'history'; import { Type } from '@kbn/config-schema'; import { UiCounterMetricType } from '@kbn/analytics'; @@ -388,18 +391,7 @@ export interface ChromeUserBanner { export { ContextProviderOpts } -// @internal (undocumented) -export interface CoreContext { - // Warning: (ae-forgotten-export) The symbol "CoreId" needs to be exported by the entry point index.d.ts - // - // (undocumented) - coreId: CoreId; - // (undocumented) - env: { - mode: Readonly; - packageInfo: Readonly; - }; -} +export { CoreContext } // @public export interface CoreSetup { @@ -415,10 +407,10 @@ export interface CoreSetup; // (undocumented) http: HttpSetup; - // @deprecated - injectedMetadata: { - getInjectedVar: (name: string, defaultValue?: any) => unknown; - }; + // Warning: (ae-unresolved-link) The @link reference could not be resolved: The package "kibana" does not have an export "InjectedMetadataSetup" + // + // (undocumented) + injectedMetadata: InjectedMetadataSetup; // (undocumented) notifications: NotificationsSetup; // (undocumented) @@ -447,10 +439,10 @@ export interface CoreStart { http: HttpStart; // (undocumented) i18n: I18nStart; - // @deprecated - injectedMetadata: { - getInjectedVar: (name: string, defaultValue?: any) => unknown; - }; + // Warning: (ae-unresolved-link) The @link reference could not be resolved: The package "kibana" does not have an export "InjectedMetadataStart" + // + // (undocumented) + injectedMetadata: InjectedMetadataStart; // (undocumented) notifications: NotificationsStart; // (undocumented) @@ -966,8 +958,7 @@ export interface PluginInitializerContext readonly opaqueId: PluginOpaqueId; } -// @public (undocumented) -export type PluginOpaqueId = symbol; +export { PluginOpaqueId } // @public export type PublicAppDeepLinkInfo = Omit & { @@ -1574,6 +1565,6 @@ export interface UserProvidedValues { // Warnings were encountered during analysis: // -// src/core/public/core_system.ts:195:21 - (ae-forgotten-export) The symbol "InternalApplicationStart" needs to be exported by the entry point index.d.ts +// src/core/public/core_system.ts:186:21 - (ae-forgotten-export) The symbol "InternalApplicationStart" needs to be exported by the entry point index.d.ts ``` diff --git a/src/core/public/saved_objects/saved_objects_service.ts b/src/core/public/saved_objects/saved_objects_service.ts index d5463913f9d80..5de1dcb0f702f 100644 --- a/src/core/public/saved_objects/saved_objects_service.ts +++ b/src/core/public/saved_objects/saved_objects_service.ts @@ -6,8 +6,8 @@ * Side Public License, v 1. */ -import { CoreService } from '../../types'; -import { CoreStart } from '..'; +import type { CoreService } from '@kbn/core-base-browser-internal'; +import type { HttpStart } from '../http'; import { SavedObjectsClient, SavedObjectsClientContract } from './saved_objects_client'; /** @@ -20,7 +20,7 @@ export interface SavedObjectsStart { export class SavedObjectsService implements CoreService { public async setup() {} - public async start({ http }: { http: CoreStart['http'] }): Promise { + public async start({ http }: { http: HttpStart }): Promise { return { client: new SavedObjectsClient(http) }; } public async stop() {} diff --git a/src/core/public/theme/theme_service.test.ts b/src/core/public/theme/theme_service.test.ts index d38ef98735a3d..9bc01dc3af26e 100644 --- a/src/core/public/theme/theme_service.test.ts +++ b/src/core/public/theme/theme_service.test.ts @@ -7,7 +7,7 @@ */ import { take } from 'rxjs/operators'; -import { injectedMetadataServiceMock } from '../injected_metadata/injected_metadata_service.mock'; +import { injectedMetadataServiceMock } from '@kbn/core-injected-metadata-browser-mocks'; import { ThemeService } from './theme_service'; describe('ThemeService', () => { diff --git a/src/core/public/theme/theme_service.ts b/src/core/public/theme/theme_service.ts index e70bd901cde80..f648727789580 100644 --- a/src/core/public/theme/theme_service.ts +++ b/src/core/public/theme/theme_service.ts @@ -8,11 +8,11 @@ import { Subject, Observable, of } from 'rxjs'; import { shareReplay, takeUntil } from 'rxjs/operators'; -import { InjectedMetadataSetup } from '../injected_metadata'; +import type { InternalInjectedMetadataSetup } from '@kbn/core-injected-metadata-browser-internal'; import type { CoreTheme, ThemeServiceSetup, ThemeServiceStart } from './types'; export interface SetupDeps { - injectedMetadata: InjectedMetadataSetup; + injectedMetadata: InternalInjectedMetadataSetup; } export class ThemeService { diff --git a/src/core/public/ui_settings/ui_settings_service.test.ts b/src/core/public/ui_settings/ui_settings_service.test.ts index 83b2c26091bfd..b4af250e5b69f 100644 --- a/src/core/public/ui_settings/ui_settings_service.test.ts +++ b/src/core/public/ui_settings/ui_settings_service.test.ts @@ -9,7 +9,7 @@ import * as Rx from 'rxjs'; import { httpServiceMock } from '../http/http_service.mock'; -import { injectedMetadataServiceMock } from '../injected_metadata/injected_metadata_service.mock'; +import { injectedMetadataServiceMock } from '@kbn/core-injected-metadata-browser-mocks'; import { UiSettingsService } from './ui_settings_service'; const httpSetup = httpServiceMock.createSetupContract(); diff --git a/src/core/public/ui_settings/ui_settings_service.ts b/src/core/public/ui_settings/ui_settings_service.ts index 1a3f275aa31ed..17a5f189146fb 100644 --- a/src/core/public/ui_settings/ui_settings_service.ts +++ b/src/core/public/ui_settings/ui_settings_service.ts @@ -8,8 +8,8 @@ import { Subject } from 'rxjs'; +import type { InternalInjectedMetadataSetup } from '@kbn/core-injected-metadata-browser-internal'; import { HttpSetup } from '../http'; -import { InjectedMetadataSetup } from '../injected_metadata'; import { UiSettingsApi } from './ui_settings_api'; import { UiSettingsClient } from './ui_settings_client'; @@ -17,7 +17,7 @@ import { IUiSettingsClient } from './types'; export interface UiSettingsServiceDeps { http: HttpSetup; - injectedMetadata: InjectedMetadataSetup; + injectedMetadata: InternalInjectedMetadataSetup; } /** @internal */ diff --git a/src/core/server/analytics/analytics_service.ts b/src/core/server/analytics/analytics_service.ts index 24389dfa7e938..7d091f5744800 100644 --- a/src/core/server/analytics/analytics_service.ts +++ b/src/core/server/analytics/analytics_service.ts @@ -6,10 +6,10 @@ * Side Public License, v 1. */ +import { of } from 'rxjs'; import type { AnalyticsClient } from '@kbn/analytics-client'; import { createAnalytics } from '@kbn/analytics-client'; -import { of } from 'rxjs'; -import type { CoreContext } from '../core_context'; +import type { CoreContext } from '@kbn/core-base-server-internal'; /** * Exposes the public APIs of the AnalyticsClient during the preboot phase diff --git a/src/core/server/bootstrap.ts b/src/core/server/bootstrap.ts index 6190665fc78e4..fd08d12e60416 100644 --- a/src/core/server/bootstrap.ts +++ b/src/core/server/bootstrap.ts @@ -7,7 +7,7 @@ */ import chalk from 'chalk'; -import { CliArgs, Env, RawConfigService } from './config'; +import { CliArgs, Env, RawConfigService } from '@kbn/config'; import { Root } from './root'; import { CriticalError } from './errors'; diff --git a/src/core/server/capabilities/capabilities_service.ts b/src/core/server/capabilities/capabilities_service.ts index 7788acd5cc9e8..979a2d9d74a7a 100644 --- a/src/core/server/capabilities/capabilities_service.ts +++ b/src/core/server/capabilities/capabilities_service.ts @@ -6,9 +6,9 @@ * Side Public License, v 1. */ +import type { CoreContext } from '@kbn/core-base-server-internal'; import { Logger } from '@kbn/logging'; import { Capabilities, CapabilitiesProvider, CapabilitiesSwitcher } from './types'; -import { CoreContext } from '../core_context'; import { InternalHttpServicePreboot, InternalHttpServiceSetup, KibanaRequest } from '../http'; import { mergeCapabilities } from './merge_capabilities'; import { getCapabilitiesResolver, CapabilitiesResolver } from './resolve_capabilities'; diff --git a/src/core/server/capabilities/integration_tests/capabilities_service.test.ts b/src/core/server/capabilities/integration_tests/capabilities_service.test.ts index c1f6ffb5add77..3cd0c6b32b82b 100644 --- a/src/core/server/capabilities/integration_tests/capabilities_service.test.ts +++ b/src/core/server/capabilities/integration_tests/capabilities_service.test.ts @@ -8,12 +8,12 @@ import supertest from 'supertest'; import { REPO_ROOT } from '@kbn/utils'; +import { Env } from '@kbn/config'; +import { getEnvOptions } from '@kbn/config-mocks'; import { HttpService, InternalHttpServicePreboot, InternalHttpServiceSetup } from '../../http'; import { contextServiceMock } from '../../context/context_service.mock'; import { executionContextServiceMock } from '../../execution_context/execution_context_service.mock'; import { loggingSystemMock } from '../../logging/logging_system.mock'; -import { Env } from '../../config'; -import { getEnvOptions } from '../../config/mocks'; import { CapabilitiesService, CapabilitiesSetup } from '..'; import { createHttpServer } from '../../http/test_utils'; diff --git a/src/core/server/config/ensure_valid_configuration.test.ts b/src/core/server/config/ensure_valid_configuration.test.ts index 372b9d4c0dfad..9161ffefaf5d3 100644 --- a/src/core/server/config/ensure_valid_configuration.test.ts +++ b/src/core/server/config/ensure_valid_configuration.test.ts @@ -6,7 +6,7 @@ * Side Public License, v 1. */ -import { configServiceMock } from './mocks'; +import { configServiceMock } from '@kbn/config-mocks'; import { ensureValidConfiguration } from './ensure_valid_configuration'; import { CriticalError } from '../errors'; diff --git a/src/core/server/config/index.ts b/src/core/server/config/index.ts index 62e8ad755795f..a873c593660af 100644 --- a/src/core/server/config/index.ts +++ b/src/core/server/config/index.ts @@ -8,27 +8,3 @@ export { coreDeprecationProvider } from './deprecation'; export { ensureValidConfiguration } from './ensure_valid_configuration'; - -export { - ConfigService, - isConfigPath, - hasConfigPathIntersection, - Env, - ObjectToConfigAdapter, - RawConfigService, -} from '@kbn/config'; - -export type { - IConfigService, - RawConfigurationProvider, - Config, - ConfigPath, - CliArgs, - ConfigDeprecation, - ConfigDeprecationContext, - AddConfigDeprecation, - ConfigDeprecationProvider, - ConfigDeprecationFactory, - EnvironmentMode, - PackageInfo, -} from '@kbn/config'; diff --git a/src/core/server/config/mocks.ts b/src/core/server/config/mocks.ts deleted file mode 100644 index 1ac4ea745aeec..0000000000000 --- a/src/core/server/config/mocks.ts +++ /dev/null @@ -1,38 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import type { - getEnvOptions as getEnvOptionsTyped, - rawConfigServiceMock as rawConfigServiceMockTyped, - configServiceMock as configServiceMockTyped, - configMock as configMockTyped, - configDeprecationsMock as configDeprecationsMockTyped, -} from '@kbn/config/target_types/mocks'; - -import { - getEnvOptions as getEnvOptionsNonTyped, - rawConfigServiceMock as rawConfigServiceMockNonTyped, - configServiceMock as configServiceMockNonTyped, - configMock as configMockNonTyped, - configDeprecationsMock as configDeprecationsMockNonTyped, - // @ts-expect-error -} from '@kbn/config/target_node/mocks'; - -const getEnvOptions: typeof getEnvOptionsTyped = getEnvOptionsNonTyped; -const rawConfigServiceMock: typeof rawConfigServiceMockTyped = rawConfigServiceMockNonTyped; -const configServiceMock: typeof configServiceMockTyped = configServiceMockNonTyped; -const configMock: typeof configMockTyped = configMockNonTyped; -const configDeprecationsMock: typeof configDeprecationsMockTyped = configDeprecationsMockNonTyped; - -export { - getEnvOptions, - rawConfigServiceMock, - configServiceMock, - configMock, - configDeprecationsMock, -}; diff --git a/src/core/server/config/test_utils.ts b/src/core/server/config/test_utils.ts index f4d452005fbe4..825649a77ac51 100644 --- a/src/core/server/config/test_utils.ts +++ b/src/core/server/config/test_utils.ts @@ -8,7 +8,7 @@ import { set } from '@elastic/safer-lodash-set'; import type { ConfigDeprecationProvider, ConfigDeprecationContext } from '@kbn/config'; import { configDeprecationFactory, applyDeprecations } from '@kbn/config'; -import { configDeprecationsMock } from './mocks'; +import { configDeprecationsMock } from '@kbn/config-mocks'; const defaultContext = configDeprecationsMock.createContext(); diff --git a/src/core/server/context/container/context.ts b/src/core/server/context/container/context.ts index 4bc9a70a7afbb..a2acdf1e5e4cf 100644 --- a/src/core/server/context/container/context.ts +++ b/src/core/server/context/container/context.ts @@ -8,7 +8,9 @@ import { flatten } from 'lodash'; import { ShallowPromise, MaybePromise } from '@kbn/utility-types'; -import type { CoreId, PluginOpaqueId, RequestHandler, RequestHandlerContext } from '../..'; +import type { PluginOpaqueId } from '@kbn/core-base-common'; +import type { CoreId } from '@kbn/core-base-common-internal'; +import type { RequestHandler, RequestHandlerContext } from '../..'; /** * A function that returns a context value for a specific key of given context type. diff --git a/src/core/server/context/context_service.test.ts b/src/core/server/context/context_service.test.ts index ac16657fa40f4..0da55ca176e89 100644 --- a/src/core/server/context/context_service.test.ts +++ b/src/core/server/context/context_service.test.ts @@ -6,10 +6,10 @@ * Side Public License, v 1. */ -import { PluginOpaqueId } from '..'; +import type { PluginOpaqueId } from '@kbn/core-base-common'; +import type { CoreContext } from '@kbn/core-base-server-internal'; import { MockContextConstructor } from './context_service.test.mocks'; import { ContextService } from './context_service'; -import { CoreContext } from '../core_context'; const pluginDependencies = new Map(); diff --git a/src/core/server/context/context_service.ts b/src/core/server/context/context_service.ts index 36f5d77a491e1..26ed2d6100ea9 100644 --- a/src/core/server/context/context_service.ts +++ b/src/core/server/context/context_service.ts @@ -6,9 +6,9 @@ * Side Public License, v 1. */ -import { PluginOpaqueId } from '..'; +import type { PluginOpaqueId } from '@kbn/core-base-common'; +import type { CoreContext } from '@kbn/core-base-server-internal'; import { IContextContainer, ContextContainer } from './container'; -import { CoreContext } from '../core_context'; type PrebootDeps = SetupDeps; diff --git a/src/core/server/core_app/core_app.ts b/src/core/server/core_app/core_app.ts index d51dfb10e5770..b004e1352da9b 100644 --- a/src/core/server/core_app/core_app.ts +++ b/src/core/server/core_app/core_app.ts @@ -11,12 +11,12 @@ import { stringify } from 'querystring'; import { Env } from '@kbn/config'; import { schema } from '@kbn/config-schema'; import { fromRoot } from '@kbn/utils'; -import { Logger } from '@kbn/logging'; +import type { Logger } from '@kbn/logging'; +import type { CoreContext } from '@kbn/core-base-server-internal'; import { IRouter, IBasePath, IKibanaResponse, KibanaResponseFactory, KibanaRequest } from '../http'; import { HttpResources, HttpResourcesServiceToolkit } from '../http_resources'; import { InternalCorePreboot, InternalCoreSetup } from '../internal_types'; -import { CoreContext } from '../core_context'; import { registerBundleRoutes } from './bundle_routes'; import { UiPlugins } from '../plugins'; diff --git a/src/core/server/core_context.mock.ts b/src/core/server/core_context.mock.ts index 4d7b4e1ba5548..872054837f73d 100644 --- a/src/core/server/core_context.mock.ts +++ b/src/core/server/core_context.mock.ts @@ -8,9 +8,9 @@ import { REPO_ROOT } from '@kbn/utils'; import type { DeeplyMockedKeys } from '@kbn/utility-types/jest'; -import { CoreContext } from './core_context'; -import { Env, IConfigService } from './config'; -import { configServiceMock, getEnvOptions } from './config/mocks'; +import { Env, IConfigService } from '@kbn/config'; +import { configServiceMock, getEnvOptions } from '@kbn/config-mocks'; +import type { CoreContext } from '@kbn/core-base-server-internal'; import { loggingSystemMock } from './logging/logging_system.mock'; import { ILoggingSystem } from './logging'; diff --git a/src/core/server/core_usage_data/core_usage_data_service.test.ts b/src/core/server/core_usage_data/core_usage_data_service.test.ts index 2dc1655a0f099..ec7f2b9c27073 100644 --- a/src/core/server/core_usage_data/core_usage_data_service.test.ts +++ b/src/core/server/core_usage_data/core_usage_data_service.test.ts @@ -13,8 +13,7 @@ import { TestScheduler } from 'rxjs/testing'; // eslint-disable-next-line @kbn/imports/no_unresolvable_imports import { HotObservable } from 'rxjs/internal/testing/HotObservable'; -import { configServiceMock } from '../config/mocks'; - +import { configServiceMock } from '@kbn/config-mocks'; import { mockCoreContext } from '../core_context.mock'; import { config as RawElasticsearchConfig } from '../elasticsearch/elasticsearch_config'; import { config as RawHttpConfig } from '../http/http_config'; diff --git a/src/core/server/core_usage_data/core_usage_data_service.ts b/src/core/server/core_usage_data/core_usage_data_service.ts index 5efb2b60ae4c4..2fd2ead344475 100644 --- a/src/core/server/core_usage_data/core_usage_data_service.ts +++ b/src/core/server/core_usage_data/core_usage_data_service.ts @@ -16,9 +16,9 @@ import type { AggregationsSingleBucketAggregateBase, SearchTotalHits, } from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; -import { CoreService } from '../../types'; -import { Logger, SavedObjectsServiceStart, SavedObjectTypeRegistry } from '..'; -import { CoreContext } from '../core_context'; +import type { CoreContext, CoreService } from '@kbn/core-base-server-internal'; +import type { Logger } from '@kbn/logging'; +import { SavedObjectsServiceStart, SavedObjectTypeRegistry } from '..'; import { ElasticsearchConfigType } from '../elasticsearch/elasticsearch_config'; import { HttpConfigType, InternalHttpServiceSetup } from '../http'; import { LoggingConfigType } from '../logging'; diff --git a/src/core/server/csp/config.ts b/src/core/server/csp/config.ts index 28e3a65eff2fc..c9b848a9f3b40 100644 --- a/src/core/server/csp/config.ts +++ b/src/core/server/csp/config.ts @@ -7,7 +7,7 @@ */ import { TypeOf, schema } from '@kbn/config-schema'; -import { ServiceConfigDescriptor } from '../internal_types'; +import type { ServiceConfigDescriptor } from '@kbn/core-base-server-internal'; interface DirectiveValidationOptions { allowNone: boolean; diff --git a/src/core/server/deprecations/deprecation_config.ts b/src/core/server/deprecations/deprecation_config.ts index fb5ff7e5957f5..77ca1a6799ef3 100644 --- a/src/core/server/deprecations/deprecation_config.ts +++ b/src/core/server/deprecations/deprecation_config.ts @@ -7,7 +7,7 @@ */ import { schema, TypeOf } from '@kbn/config-schema'; -import { ServiceConfigDescriptor } from '../internal_types'; +import type { ServiceConfigDescriptor } from '@kbn/core-base-server-internal'; const configSchema = schema.object({ // `deprecation.skip_deprecated_settings` is consistent with the equivalent ES feature and config property diff --git a/src/core/server/deprecations/deprecations_service.ts b/src/core/server/deprecations/deprecations_service.ts index b93c8cda748e5..9f1a119d546ec 100644 --- a/src/core/server/deprecations/deprecations_service.ts +++ b/src/core/server/deprecations/deprecations_service.ts @@ -9,13 +9,12 @@ import { firstValueFrom } from 'rxjs'; import type { Logger } from '@kbn/logging'; +import type { IConfigService } from '@kbn/config'; +import type { CoreContext, CoreService } from '@kbn/core-base-server-internal'; import { DeprecationsFactory } from './deprecations_factory'; import { DomainDeprecationDetails, RegisterDeprecationsConfig } from './types'; import { registerRoutes } from './routes'; import { config as deprecationConfig, DeprecationConfigType } from './deprecation_config'; -import { CoreContext } from '../core_context'; -import { IConfigService } from '../config'; -import { CoreService } from '../../types'; import { InternalHttpServiceSetup } from '../http'; import { IScopedClusterClient } from '../elasticsearch/client'; import { SavedObjectsClientContract } from '../saved_objects/types'; diff --git a/src/core/server/doc_links/doc_links_service.ts b/src/core/server/doc_links/doc_links_service.ts index 75adb8edbe06b..bac1c56235b32 100644 --- a/src/core/server/doc_links/doc_links_service.ts +++ b/src/core/server/doc_links/doc_links_service.ts @@ -7,7 +7,7 @@ */ import { getDocLinks, getDocLinksMeta } from '@kbn/doc-links'; -import type { CoreContext } from '../core_context'; +import type { CoreContext } from '@kbn/core-base-server-internal'; import type { DocLinksServiceSetup, DocLinksServiceStart } from './types'; /** @internal */ diff --git a/src/core/server/elasticsearch/elasticsearch_config.ts b/src/core/server/elasticsearch/elasticsearch_config.ts index 80bd52468fd7e..201f285d72874 100644 --- a/src/core/server/elasticsearch/elasticsearch_config.ts +++ b/src/core/server/elasticsearch/elasticsearch_config.ts @@ -11,8 +11,8 @@ import { readPkcs12Keystore, readPkcs12Truststore } from '@kbn/crypto'; import { i18n } from '@kbn/i18n'; import { Duration } from 'moment'; import { readFileSync } from 'fs'; +import type { ServiceConfigDescriptor } from '@kbn/core-base-server-internal'; import { ConfigDeprecationProvider } from '..'; -import { ServiceConfigDescriptor } from '../internal_types'; import { getReservedHeaders } from './default_headers'; const hostURISchema = schema.uri({ scheme: ['http', 'https'] }); diff --git a/src/core/server/elasticsearch/elasticsearch_service.test.ts b/src/core/server/elasticsearch/elasticsearch_service.test.ts index f979309292822..223980021a071 100644 --- a/src/core/server/elasticsearch/elasticsearch_service.test.ts +++ b/src/core/server/elasticsearch/elasticsearch_service.test.ts @@ -25,9 +25,9 @@ import type { NodesVersionCompatibility } from './version_check/ensure_es_versio import { BehaviorSubject, firstValueFrom } from 'rxjs'; import { first, concatMap } from 'rxjs/operators'; import { REPO_ROOT } from '@kbn/utils'; -import { Env } from '../config'; -import { configServiceMock, getEnvOptions } from '../config/mocks'; -import { CoreContext } from '../core_context'; +import { Env } from '@kbn/config'; +import { configServiceMock, getEnvOptions } from '@kbn/config-mocks'; +import type { CoreContext } from '@kbn/core-base-server-internal'; import { loggingSystemMock } from '../logging/logging_system.mock'; import { httpServiceMock } from '../http/http_service.mock'; import { executionContextServiceMock } from '../execution_context/execution_context_service.mock'; diff --git a/src/core/server/elasticsearch/elasticsearch_service.ts b/src/core/server/elasticsearch/elasticsearch_service.ts index 7926b6bb8ca43..90b616c0d439b 100644 --- a/src/core/server/elasticsearch/elasticsearch_service.ts +++ b/src/core/server/elasticsearch/elasticsearch_service.ts @@ -10,10 +10,9 @@ import { firstValueFrom, Observable, Subject } from 'rxjs'; import { map, shareReplay, takeUntil } from 'rxjs/operators'; import type { Logger } from '@kbn/logging'; +import type { CoreContext, CoreService } from '@kbn/core-base-server-internal'; import { registerAnalyticsContextProvider } from './register_analytics_context_provider'; import { AnalyticsServiceSetup } from '../analytics'; -import { CoreService } from '../../types'; -import { CoreContext } from '../core_context'; import { ClusterClient, ElasticsearchClientConfig } from './client'; import { ElasticsearchConfig, ElasticsearchConfigType } from './elasticsearch_config'; diff --git a/src/core/server/environment/create_data_folder.ts b/src/core/server/environment/create_data_folder.ts index a9b0a00e83d19..74b7b28a8cb2d 100644 --- a/src/core/server/environment/create_data_folder.ts +++ b/src/core/server/environment/create_data_folder.ts @@ -6,7 +6,7 @@ * Side Public License, v 1. */ -import { PathConfigType } from '@kbn/utils'; +import type { PathConfigType } from '@kbn/utils'; import type { Logger } from '@kbn/logging'; import { mkdir } from './fs'; diff --git a/src/core/server/environment/environment_service.test.ts b/src/core/server/environment/environment_service.test.ts index c285edc443ce8..b6a52284f8af8 100644 --- a/src/core/server/environment/environment_service.test.ts +++ b/src/core/server/environment/environment_service.test.ts @@ -8,14 +8,14 @@ import { BehaviorSubject } from 'rxjs'; +import type { CoreContext } from '@kbn/core-base-server-internal'; import { EnvironmentService } from './environment_service'; import { resolveInstanceUuid } from './resolve_uuid'; import { createDataFolder } from './create_data_folder'; import { writePidFile } from './write_pid_file'; -import { CoreContext } from '../core_context'; import type { AnalyticsServicePreboot } from '../analytics'; -import { configServiceMock } from '../config/mocks'; +import { configServiceMock } from '@kbn/config-mocks'; import { loggingSystemMock } from '../logging/logging_system.mock'; import { mockCoreContext } from '../core_context.mock'; import { analyticsServiceMock } from '../analytics/analytics_service.mock'; diff --git a/src/core/server/environment/environment_service.ts b/src/core/server/environment/environment_service.ts index 98d01e0bcbbe3..9fcf54c7bc1c2 100644 --- a/src/core/server/environment/environment_service.ts +++ b/src/core/server/environment/environment_service.ts @@ -9,9 +9,9 @@ import { firstValueFrom, of } from 'rxjs'; import { PathConfigType, config as pathConfigDef } from '@kbn/utils'; import type { Logger } from '@kbn/logging'; +import type { IConfigService } from '@kbn/config'; +import type { CoreContext } from '@kbn/core-base-server-internal'; import type { AnalyticsServicePreboot } from '../analytics'; -import { CoreContext } from '../core_context'; -import { IConfigService } from '../config'; import { HttpConfigType, config as httpConfigDef } from '../http'; import { PidConfigType, config as pidConfigDef } from './pid_config'; import { resolveInstanceUuid } from './resolve_uuid'; diff --git a/src/core/server/execution_context/execution_context_config.ts b/src/core/server/execution_context/execution_context_config.ts index af6e7253433f7..f62a44a8da4d2 100644 --- a/src/core/server/execution_context/execution_context_config.ts +++ b/src/core/server/execution_context/execution_context_config.ts @@ -7,7 +7,7 @@ */ import { TypeOf, schema } from '@kbn/config-schema'; -import { ServiceConfigDescriptor } from '../internal_types'; +import type { ServiceConfigDescriptor } from '@kbn/core-base-server-internal'; const configSchema = schema.object({ enabled: schema.boolean({ defaultValue: true }), diff --git a/src/core/server/execution_context/execution_context_service.ts b/src/core/server/execution_context/execution_context_service.ts index 9e307280def9d..c43690e0dffa0 100644 --- a/src/core/server/execution_context/execution_context_service.ts +++ b/src/core/server/execution_context/execution_context_service.ts @@ -11,8 +11,8 @@ import { isUndefined, omitBy } from 'lodash'; import type { Subscription } from 'rxjs'; import type { Logger } from '@kbn/logging'; -import type { CoreService, KibanaExecutionContext } from '../../types'; -import type { CoreContext } from '../core_context'; +import type { CoreContext, CoreService } from '@kbn/core-base-server-internal'; +import type { KibanaExecutionContext } from '../../types'; import type { ExecutionContextConfigType } from './execution_context_config'; import { diff --git a/src/core/server/http/http_config.ts b/src/core/server/http/http_config.ts index 5bc9cfa4993a5..3d592de662337 100644 --- a/src/core/server/http/http_config.ts +++ b/src/core/server/http/http_config.ts @@ -8,11 +8,11 @@ import { ByteSizeValue, schema, TypeOf } from '@kbn/config-schema'; import { IHttpConfig, SslConfig, sslSchema } from '@kbn/server-http-tools'; +import type { ServiceConfigDescriptor } from '@kbn/core-base-server-internal'; import { hostname } from 'os'; import url from 'url'; import type { Duration } from 'moment'; -import { ServiceConfigDescriptor } from '../internal_types'; import { CspConfigType, CspConfig, ICspConfig } from '../csp'; import { ExternalUrlConfig, IExternalUrlConfig } from '../external_url'; import { diff --git a/src/core/server/http/http_service.mock.ts b/src/core/server/http/http_service.mock.ts index 557a10da0839d..bf0ae977459e2 100644 --- a/src/core/server/http/http_service.mock.ts +++ b/src/core/server/http/http_service.mock.ts @@ -8,6 +8,7 @@ import { Server } from '@hapi/hapi'; import type { PublicMethodsOf } from '@kbn/utility-types'; +import { configMock } from '@kbn/config-mocks'; import { CspConfig } from '../csp'; import { mockRouter, RouterMock } from './router/router.mock'; @@ -27,7 +28,6 @@ import { sessionStorageMock } from './cookie_session_storage.mocks'; import { OnPostAuthToolkit } from './lifecycle/on_post_auth'; import { OnPreAuthToolkit } from './lifecycle/on_pre_auth'; import { OnPreResponseToolkit } from './lifecycle/on_pre_response'; -import { configMock } from '../config/mocks'; import { ExternalUrlConfig } from '../external_url'; import type { IAuthHeadersStorage } from './auth_headers_storage'; diff --git a/src/core/server/http/http_service.test.ts b/src/core/server/http/http_service.test.ts index 540b90078ece8..83af8db962a61 100644 --- a/src/core/server/http/http_service.test.ts +++ b/src/core/server/http/http_service.test.ts @@ -11,11 +11,11 @@ import { mockHttpServer } from './http_service.test.mocks'; import { noop } from 'lodash'; import { BehaviorSubject } from 'rxjs'; import { REPO_ROOT } from '@kbn/utils'; -import { getEnvOptions } from '../config/mocks'; +import { ConfigService, Env } from '@kbn/config'; +import { getEnvOptions } from '@kbn/config-mocks'; import { HttpService } from '.'; import { HttpConfigType, config } from './http_config'; import { httpServerMock } from './http_server.mocks'; -import { ConfigService, Env } from '../config'; import { loggingSystemMock } from '../logging/logging_system.mock'; import { contextServiceMock } from '../context/context_service.mock'; import { executionContextServiceMock } from '../execution_context/execution_context_service.mock'; diff --git a/src/core/server/http/http_service.ts b/src/core/server/http/http_service.ts index 8ed34dbbb645f..f1ebf775e66bc 100644 --- a/src/core/server/http/http_service.ts +++ b/src/core/server/http/http_service.ts @@ -10,14 +10,14 @@ import { Observable, Subscription, combineLatest, firstValueFrom } from 'rxjs'; import { map } from 'rxjs/operators'; import { pick } from '@kbn/std'; -import type { Logger } from '@kbn/logging'; +import { Logger } from '@kbn/logging'; +import { Env } from '@kbn/config'; +import type { CoreContext, CoreService } from '@kbn/core-base-server-internal'; +import type { PluginOpaqueId } from '@kbn/core-base-common'; + import type { RequestHandlerContext } from '..'; import type { InternalExecutionContextSetup } from '../execution_context'; -import { CoreService } from '../../types'; import { ContextSetup, InternalContextPreboot } from '../context'; -import { Env } from '../config'; -import { CoreContext } from '../core_context'; -import { PluginOpaqueId } from '../plugins'; import { CspConfigType, config as cspConfig } from '../csp'; import { Router } from './router'; diff --git a/src/core/server/http/integration_tests/cookie_session_storage.test.ts b/src/core/server/http/integration_tests/cookie_session_storage.test.ts index 56e93689555d8..73cd7cd66fc53 100644 --- a/src/core/server/http/integration_tests/cookie_session_storage.test.ts +++ b/src/core/server/http/integration_tests/cookie_session_storage.test.ts @@ -8,19 +8,19 @@ import { parse as parseCookie } from 'tough-cookie'; import supertest from 'supertest'; -import { REPO_ROOT } from '@kbn/utils'; -import { ByteSizeValue } from '@kbn/config-schema'; import { BehaviorSubject } from 'rxjs'; import { duration as momentDuration } from 'moment'; +import { REPO_ROOT } from '@kbn/utils'; +import { ByteSizeValue } from '@kbn/config-schema'; +import { Env } from '@kbn/config'; +import { getEnvOptions, configServiceMock } from '@kbn/config-mocks'; -import { CoreContext } from '../../core_context'; +import type { CoreContext } from '@kbn/core-base-server-internal'; import { HttpService } from '../http_service'; -import { Env } from '../../config'; import { contextServiceMock } from '../../context/context_service.mock'; import { executionContextServiceMock } from '../../execution_context/execution_context_service.mock'; import { loggingSystemMock } from '../../logging/logging_system.mock'; -import { getEnvOptions, configServiceMock } from '../../config/mocks'; import { httpServerMock } from '../http_server.mocks'; import { createCookieSessionStorageFactory } from '../cookie_session_storage'; diff --git a/src/core/server/http/integration_tests/lifecycle_handlers.test.ts b/src/core/server/http/integration_tests/lifecycle_handlers.test.ts index c633db11edd7a..d2bf3a4ed809f 100644 --- a/src/core/server/http/integration_tests/lifecycle_handlers.test.ts +++ b/src/core/server/http/integration_tests/lifecycle_handlers.test.ts @@ -10,13 +10,13 @@ import supertest from 'supertest'; import moment from 'moment'; import { BehaviorSubject } from 'rxjs'; import { ByteSizeValue } from '@kbn/config-schema'; +import { configServiceMock } from '@kbn/config-mocks'; import { createHttpServer } from '../test_utils'; import { HttpService } from '../http_service'; import { HttpServerSetup } from '../http_server'; import { IRouter, RouteRegistrar } from '../router'; -import { configServiceMock } from '../../config/mocks'; import { contextServiceMock } from '../../context/context_service.mock'; import { executionContextServiceMock } from '../../execution_context/execution_context_service.mock'; diff --git a/src/core/server/http/lifecycle_handlers.ts b/src/core/server/http/lifecycle_handlers.ts index eed24c8071eaf..bb083bc868726 100644 --- a/src/core/server/http/lifecycle_handlers.ts +++ b/src/core/server/http/lifecycle_handlers.ts @@ -6,11 +6,11 @@ * Side Public License, v 1. */ +import { Env } from '@kbn/config'; import { OnPostAuthHandler } from './lifecycle/on_post_auth'; import { OnPreResponseHandler } from './lifecycle/on_pre_response'; import { HttpConfig } from './http_config'; import { isSafeMethod } from './router'; -import { Env } from '../config'; import { LifecycleRegistrar } from './http_server'; const VERSION_HEADER = 'kbn-version'; diff --git a/src/core/server/http/test_utils.ts b/src/core/server/http/test_utils.ts index 8a8c545b365b3..b8a2bca314fb1 100644 --- a/src/core/server/http/test_utils.ts +++ b/src/core/server/http/test_utils.ts @@ -10,10 +10,10 @@ import { BehaviorSubject } from 'rxjs'; import moment from 'moment'; import { REPO_ROOT } from '@kbn/utils'; import { ByteSizeValue } from '@kbn/config-schema'; -import { Env } from '../config'; +import { Env } from '@kbn/config'; +import { getEnvOptions, configServiceMock } from '@kbn/config-mocks'; +import type { CoreContext } from '@kbn/core-base-server-internal'; import { HttpService } from './http_service'; -import { CoreContext } from '../core_context'; -import { getEnvOptions, configServiceMock } from '../config/mocks'; import { loggingSystemMock } from '../logging/logging_system.mock'; const coreId = Symbol('core'); diff --git a/src/core/server/http_resources/http_resources_service.ts b/src/core/server/http_resources/http_resources_service.ts index a74d19683611a..978ad8e72621b 100644 --- a/src/core/server/http_resources/http_resources_service.ts +++ b/src/core/server/http_resources/http_resources_service.ts @@ -7,9 +7,8 @@ */ import type { Logger } from '@kbn/logging'; +import type { CoreContext, CoreService } from '@kbn/core-base-server-internal'; import { RequestHandlerContext } from '..'; - -import { CoreContext } from '../core_context'; import { IRouter, RouteConfig, @@ -18,10 +17,7 @@ import { KibanaResponseFactory, InternalHttpServicePreboot, } from '../http'; - import { InternalRenderingServicePreboot, InternalRenderingServiceSetup } from '../rendering'; -import { CoreService } from '../../types'; - import { InternalHttpResourcesSetup, HttpResources, diff --git a/src/core/server/i18n/i18n_service.test.ts b/src/core/server/i18n/i18n_service.test.ts index ad87b371aca33..bfe689d7494bd 100644 --- a/src/core/server/i18n/i18n_service.test.ts +++ b/src/core/server/i18n/i18n_service.test.ts @@ -15,7 +15,7 @@ import { import { BehaviorSubject } from 'rxjs'; import { I18nService } from './i18n_service'; -import { configServiceMock } from '../config/mocks'; +import { configServiceMock } from '@kbn/config-mocks'; import { mockCoreContext } from '../core_context.mock'; import { httpServiceMock } from '../mocks'; diff --git a/src/core/server/i18n/i18n_service.ts b/src/core/server/i18n/i18n_service.ts index 483281d3b7cf2..1accf75f252d6 100644 --- a/src/core/server/i18n/i18n_service.ts +++ b/src/core/server/i18n/i18n_service.ts @@ -8,8 +8,8 @@ import { firstValueFrom } from 'rxjs'; import type { Logger } from '@kbn/logging'; -import { IConfigService } from '../config'; -import { CoreContext } from '../core_context'; +import type { IConfigService } from '@kbn/config'; +import type { CoreContext } from '@kbn/core-base-server-internal'; import { InternalHttpServicePreboot, InternalHttpServiceSetup } from '../http'; import { config as i18nConfigDef, I18nConfigType } from './i18n_config'; import { getKibanaTranslationFiles } from './get_kibana_translation_files'; diff --git a/src/core/server/index.ts b/src/core/server/index.ts index ab5db3941615a..9ad6612f979c6 100644 --- a/src/core/server/index.ts +++ b/src/core/server/index.ts @@ -109,7 +109,7 @@ export type { AddConfigDeprecation, EnvironmentMode, PackageInfo, -} from './config'; +} from '@kbn/config'; export type { IContextContainer, IContextProvider, @@ -117,7 +117,7 @@ export type { HandlerContextType, HandlerParameters, } from './context'; -export type { CoreId } from './core_context'; +export type { CoreId } from '@kbn/core-base-common-internal'; export { CspConfig } from './csp'; export type { ICspConfig } from './csp'; @@ -261,7 +261,7 @@ export type { LogLevel, } from '@kbn/logging'; -export { PluginType } from './plugins'; +export { PluginType } from '@kbn/core-base-common'; export type { DiscoveredPlugin, diff --git a/src/core/server/internal_types.ts b/src/core/server/internal_types.ts index 080e4e61dadb7..4e13dec781fb1 100644 --- a/src/core/server/internal_types.ts +++ b/src/core/server/internal_types.ts @@ -6,10 +6,7 @@ * Side Public License, v 1. */ -import { Type } from '@kbn/config-schema'; - import { CapabilitiesSetup, CapabilitiesStart } from './capabilities'; -import { ConfigDeprecationProvider } from './config'; import { InternalContextPreboot, ContextSetup } from './context'; import { InternalElasticsearchServicePreboot, @@ -101,18 +98,3 @@ export interface InternalCoreStart { executionContext: InternalExecutionContextStart; deprecations: InternalDeprecationsServiceStart; } - -/** - * @internal - */ -export interface ServiceConfigDescriptor { - path: string; - /** - * Schema to use to validate the configuration. - */ - schema: Type; - /** - * Provider for the {@link ConfigDeprecation} to apply to the plugin configuration. - */ - deprecations?: ConfigDeprecationProvider; -} diff --git a/src/core/server/logging/logging_service.ts b/src/core/server/logging/logging_service.ts index f5c6bbf8e9422..4a005f365f86b 100644 --- a/src/core/server/logging/logging_service.ts +++ b/src/core/server/logging/logging_service.ts @@ -8,10 +8,9 @@ import { Observable, Subscription } from 'rxjs'; import { Logger } from '@kbn/logging'; -import { CoreService } from '../../types'; +import type { CoreContext, CoreService } from '@kbn/core-base-server-internal'; import { LoggingConfig, LoggerContextConfigInput } from './logging_config'; import { ILoggingSystem } from './logging_system'; -import { CoreContext } from '../core_context'; /** * Provides APIs to plugins for customizing the plugin's logger. diff --git a/src/core/server/metrics/metrics_service.test.ts b/src/core/server/metrics/metrics_service.test.ts index 27043b8fa2c8a..a8809f60629b7 100644 --- a/src/core/server/metrics/metrics_service.test.ts +++ b/src/core/server/metrics/metrics_service.test.ts @@ -8,7 +8,7 @@ import moment from 'moment'; -import { configServiceMock } from '../config/mocks'; +import { configServiceMock } from '@kbn/config-mocks'; import { mockOpsCollector } from './metrics_service.test.mocks'; import { MetricsService } from './metrics_service'; import { mockCoreContext } from '../core_context.mock'; diff --git a/src/core/server/metrics/metrics_service.ts b/src/core/server/metrics/metrics_service.ts index 4b44fa46fc8e9..f2515b29e2744 100644 --- a/src/core/server/metrics/metrics_service.ts +++ b/src/core/server/metrics/metrics_service.ts @@ -7,9 +7,8 @@ */ import { firstValueFrom, ReplaySubject } from 'rxjs'; -import type { Logger } from '@kbn/logging'; -import { CoreService } from '../../types'; -import { CoreContext } from '../core_context'; +import type { CoreContext, CoreService } from '@kbn/core-base-server-internal'; +import { Logger } from '@kbn/logging'; import { InternalHttpServiceSetup } from '../http'; import { InternalMetricsServiceSetup, InternalMetricsServiceStart, OpsMetrics } from './types'; import { OpsMetricsCollector } from './ops_metrics_collector'; diff --git a/src/core/server/mocks.ts b/src/core/server/mocks.ts index cb7010808fe32..45fed1fd54dbb 100644 --- a/src/core/server/mocks.ts +++ b/src/core/server/mocks.ts @@ -42,7 +42,7 @@ import { prebootServiceMock } from './preboot/preboot_service.mock'; import { docLinksServiceMock } from './doc_links/doc_links_service.mock'; import { analyticsServiceMock } from './analytics/analytics_service.mock'; -export { configServiceMock, configDeprecationsMock } from './config/mocks'; +export { configServiceMock, configDeprecationsMock } from '@kbn/config-mocks'; export { httpServerMock } from './http/http_server.mocks'; export { httpResourcesMock } from './http_resources/http_resources_service.mock'; export { sessionStorageMock } from './http/cookie_session_storage.mocks'; diff --git a/src/core/server/plugins/discovery/plugin_manifest_parser.ts b/src/core/server/plugins/discovery/plugin_manifest_parser.ts index d498295ec5cc2..0a54899856ac1 100644 --- a/src/core/server/plugins/discovery/plugin_manifest_parser.ts +++ b/src/core/server/plugins/discovery/plugin_manifest_parser.ts @@ -11,8 +11,9 @@ import { resolve } from 'path'; import { coerce } from 'semver'; import { promisify } from 'util'; import { snakeCase } from 'lodash'; -import { isConfigPath, PackageInfo } from '../../config'; -import { PluginManifest, PluginType } from '../types'; +import { isConfigPath, PackageInfo } from '@kbn/config'; +import { PluginType } from '@kbn/core-base-common'; +import { PluginManifest } from '../types'; import { PluginDiscoveryError } from './plugin_discovery_error'; import { isCamelCase } from './is_camel_case'; diff --git a/src/core/server/plugins/discovery/plugins_discovery.test.ts b/src/core/server/plugins/discovery/plugins_discovery.test.ts index 91fc7bd403dca..98e25b31ca5a1 100644 --- a/src/core/server/plugins/discovery/plugins_discovery.test.ts +++ b/src/core/server/plugins/discovery/plugins_discovery.test.ts @@ -10,17 +10,17 @@ import { REPO_ROOT } from '@kbn/utils'; import { mockPackage, scanPluginSearchPathsMock } from './plugins_discovery.test.mocks'; import mockFs from 'mock-fs'; +import { getEnvOptions, rawConfigServiceMock } from '@kbn/config-mocks'; import { loggingSystemMock } from '../../logging/logging_system.mock'; -import { getEnvOptions, rawConfigServiceMock } from '../../config/mocks'; import { firstValueFrom, from } from 'rxjs'; import { map, toArray } from 'rxjs/operators'; import { resolve } from 'path'; -import { ConfigService, Env } from '../../config'; +import { ConfigService, Env } from '@kbn/config'; +import type { CoreContext } from '@kbn/core-base-server-internal'; import { PluginsConfig, PluginsConfigType, config } from '../plugins_config'; import type { InstanceInfo } from '../plugin_context'; import { discover } from './plugins_discovery'; -import { CoreContext } from '../../core_context'; import { PluginType } from '../types'; const KIBANA_ROOT = process.cwd(); diff --git a/src/core/server/plugins/discovery/plugins_discovery.ts b/src/core/server/plugins/discovery/plugins_discovery.ts index 89f9fd9d52648..55b225c198c80 100644 --- a/src/core/server/plugins/discovery/plugins_discovery.ts +++ b/src/core/server/plugins/discovery/plugins_discovery.ts @@ -8,8 +8,8 @@ import { from, merge } from 'rxjs'; import { catchError, filter, map, mergeMap, concatMap, shareReplay, toArray } from 'rxjs/operators'; -import type { Logger } from '@kbn/logging'; -import { CoreContext } from '../../core_context'; +import { Logger } from '@kbn/logging'; +import type { CoreContext } from '@kbn/core-base-server-internal'; import { PluginWrapper } from '../plugin'; import { createPluginInitializerContext, InstanceInfo } from '../plugin_context'; import { PluginsConfig } from '../plugins_config'; diff --git a/src/core/server/plugins/integration_tests/plugins_service.test.ts b/src/core/server/plugins/integration_tests/plugins_service.test.ts index ebbb3fa473b6d..12b0a74a5f230 100644 --- a/src/core/server/plugins/integration_tests/plugins_service.test.ts +++ b/src/core/server/plugins/integration_tests/plugins_service.test.ts @@ -12,9 +12,9 @@ import { mockPackage, mockDiscover } from './plugins_service.test.mocks'; import { join } from 'path'; +import { ConfigPath, ConfigService, Env } from '@kbn/config'; +import { getEnvOptions, rawConfigServiceMock } from '@kbn/config-mocks'; import { PluginsService } from '../plugins_service'; -import { ConfigPath, ConfigService, Env } from '../../config'; -import { getEnvOptions, rawConfigServiceMock } from '../../config/mocks'; import { BehaviorSubject, from } from 'rxjs'; import { config } from '../plugins_config'; import { loggingSystemMock } from '../../logging/logging_system.mock'; diff --git a/src/core/server/plugins/legacy_config.test.ts b/src/core/server/plugins/legacy_config.test.ts index af8cff843edf0..0dd20ec986130 100644 --- a/src/core/server/plugins/legacy_config.test.ts +++ b/src/core/server/plugins/legacy_config.test.ts @@ -8,7 +8,7 @@ import { take } from 'rxjs/operators'; import { ConfigService, Env } from '@kbn/config'; -import { getEnvOptions, rawConfigServiceMock } from '../config/mocks'; +import { getEnvOptions, rawConfigServiceMock } from '@kbn/config-mocks'; import { getGlobalConfig, getGlobalConfig$ } from './legacy_config'; import { REPO_ROOT } from '@kbn/utils'; import { loggingSystemMock } from '../logging/logging_system.mock'; diff --git a/src/core/server/plugins/plugin.test.ts b/src/core/server/plugins/plugin.test.ts index 41718d22fd50a..2b9774f4c4458 100644 --- a/src/core/server/plugins/plugin.test.ts +++ b/src/core/server/plugins/plugin.test.ts @@ -10,12 +10,12 @@ import { join } from 'path'; import { BehaviorSubject } from 'rxjs'; import { REPO_ROOT } from '@kbn/utils'; import { schema } from '@kbn/config-schema'; +import { Env } from '@kbn/config'; -import { Env } from '../config'; -import { CoreContext } from '../core_context'; +import { configServiceMock, getEnvOptions } from '@kbn/config-mocks'; +import type { CoreContext } from '@kbn/core-base-server-internal'; import { coreMock } from '../mocks'; import { loggingSystemMock } from '../logging/logging_system.mock'; -import { configServiceMock, getEnvOptions } from '../config/mocks'; import { PluginWrapper } from './plugin'; import { PluginManifest, PluginType } from './types'; diff --git a/src/core/server/plugins/plugin.ts b/src/core/server/plugins/plugin.ts index 2dbb82accc14e..9ddab175d313a 100644 --- a/src/core/server/plugins/plugin.ts +++ b/src/core/server/plugins/plugin.ts @@ -12,7 +12,7 @@ import { firstValueFrom, Subject } from 'rxjs'; import { isPromise } from '@kbn/std'; import { isConfigSchema } from '@kbn/config-schema'; import type { Logger } from '@kbn/logging'; - +import { PluginType } from '@kbn/core-base-common'; import { AsyncPlugin, Plugin, @@ -21,7 +21,6 @@ import { PluginInitializerContext, PluginManifest, PluginOpaqueId, - PluginType, PrebootPlugin, } from './types'; import { CorePreboot, CoreSetup, CoreStart } from '..'; diff --git a/src/core/server/plugins/plugin_context.test.ts b/src/core/server/plugins/plugin_context.test.ts index 7bcf392ed510b..d248ea05e7f62 100644 --- a/src/core/server/plugins/plugin_context.test.ts +++ b/src/core/server/plugins/plugin_context.test.ts @@ -10,19 +10,19 @@ import { duration } from 'moment'; import { first } from 'rxjs/operators'; import { REPO_ROOT } from '@kbn/utils'; import { fromRoot } from '@kbn/utils'; +import { rawConfigServiceMock, getEnvOptions, configServiceMock } from '@kbn/config-mocks'; +import type { CoreContext } from '@kbn/core-base-server-internal'; import { createPluginInitializerContext, createPluginPrebootSetupContext, InstanceInfo, } from './plugin_context'; -import { CoreContext } from '../core_context'; -import { Env } from '../config'; + import { loggingSystemMock } from '../logging/logging_system.mock'; -import { rawConfigServiceMock, getEnvOptions, configServiceMock } from '../config/mocks'; import { PluginManifest, PluginType } from './types'; import { Server } from '../server'; import { schema, ByteSizeValue } from '@kbn/config-schema'; -import { ConfigService } from '@kbn/config'; +import { ConfigService, Env } from '@kbn/config'; import { PluginWrapper } from './plugin'; import { coreMock } from '../mocks'; diff --git a/src/core/server/plugins/plugin_context.ts b/src/core/server/plugins/plugin_context.ts index 81e3b3a107c72..0b60339b365a8 100644 --- a/src/core/server/plugins/plugin_context.ts +++ b/src/core/server/plugins/plugin_context.ts @@ -7,15 +7,16 @@ */ import { shareReplay } from 'rxjs/operators'; +import type { CoreContext } from '@kbn/core-base-server-internal'; +import type { PluginOpaqueId } from '@kbn/core-base-common'; import type { RequestHandlerContext } from '..'; -import { CoreContext } from '../core_context'; import { PluginWrapper } from './plugin'; import { PluginsServicePrebootSetupDeps, PluginsServiceSetupDeps, PluginsServiceStartDeps, } from './plugins_service'; -import { PluginInitializerContext, PluginManifest, PluginOpaqueId } from './types'; +import { PluginInitializerContext, PluginManifest } from './types'; import { IRouter, RequestHandlerContextProvider } from '../http'; import { getGlobalConfig, getGlobalConfig$ } from './legacy_config'; import { CorePreboot, CoreSetup, CoreStart } from '..'; diff --git a/src/core/server/plugins/plugins_config.test.ts b/src/core/server/plugins/plugins_config.test.ts index b9225054e63ef..49bfdf34a34b9 100644 --- a/src/core/server/plugins/plugins_config.test.ts +++ b/src/core/server/plugins/plugins_config.test.ts @@ -7,9 +7,9 @@ */ import { REPO_ROOT } from '@kbn/utils'; -import { getEnvOptions } from '../config/mocks'; +import { Env } from '@kbn/config'; +import { getEnvOptions } from '@kbn/config-mocks'; import { PluginsConfig, PluginsConfigType } from './plugins_config'; -import { Env } from '../config'; describe('PluginsConfig', () => { it('retrieves additionalPluginPaths from config.paths when in production mode', () => { diff --git a/src/core/server/plugins/plugins_config.ts b/src/core/server/plugins/plugins_config.ts index 6624fc40d2c0a..8de7a0471c650 100644 --- a/src/core/server/plugins/plugins_config.ts +++ b/src/core/server/plugins/plugins_config.ts @@ -7,8 +7,8 @@ */ import { schema, TypeOf } from '@kbn/config-schema'; -import { ServiceConfigDescriptor } from '../internal_types'; -import { Env } from '../config'; +import { Env } from '@kbn/config'; +import type { ServiceConfigDescriptor } from '@kbn/core-base-server-internal'; const configSchema = schema.object({ initialize: schema.boolean({ defaultValue: true }), diff --git a/src/core/server/plugins/plugins_service.test.ts b/src/core/server/plugins/plugins_service.test.ts index e22a6f09edd18..f0dbe5dfe00c7 100644 --- a/src/core/server/plugins/plugins_service.test.ts +++ b/src/core/server/plugins/plugins_service.test.ts @@ -10,12 +10,12 @@ import { mockDiscover, mockPackage } from './plugins_service.test.mocks'; import { resolve, join } from 'path'; import { BehaviorSubject, from } from 'rxjs'; -import { schema } from '@kbn/config-schema'; import { createAbsolutePathSerializer } from '@kbn/jest-serializers'; import { REPO_ROOT } from '@kbn/utils'; +import { schema } from '@kbn/config-schema'; +import { ConfigPath, ConfigService, Env } from '@kbn/config'; -import { ConfigPath, ConfigService, Env } from '../config'; -import { rawConfigServiceMock, getEnvOptions } from '../config/mocks'; +import { rawConfigServiceMock, getEnvOptions } from '@kbn/config-mocks'; import { coreMock } from '../mocks'; import { loggingSystemMock } from '../logging/logging_system.mock'; import { environmentServiceMock } from '../environment/environment_service.mock'; diff --git a/src/core/server/plugins/plugins_service.ts b/src/core/server/plugins/plugins_service.ts index 73708d44a5a5d..ae9e109dc23bd 100644 --- a/src/core/server/plugins/plugins_service.ts +++ b/src/core/server/plugins/plugins_service.ts @@ -11,9 +11,10 @@ import { firstValueFrom, Observable } from 'rxjs'; import { filter, map, tap, toArray } from 'rxjs/operators'; import { getFlattenedObject } from '@kbn/std'; -import type { Logger } from '@kbn/logging'; -import { CoreService } from '../../types'; -import { CoreContext } from '../core_context'; +import { Logger } from '@kbn/logging'; +import type { IConfigService } from '@kbn/config'; +import type { CoreContext, CoreService } from '@kbn/core-base-server-internal'; +import type { PluginName } from '@kbn/core-base-common'; import { discover, PluginDiscoveryError, PluginDiscoveryErrorType } from './discovery'; import { PluginWrapper } from './plugin'; import { @@ -21,14 +22,12 @@ import { InternalPluginInfo, PluginConfigDescriptor, PluginDependencies, - PluginName, PluginType, } from './types'; import { PluginsConfig, PluginsConfigType } from './plugins_config'; import { PluginsSystem } from './plugins_system'; import { createBrowserConfig } from './create_browser_config'; import { InternalCorePreboot, InternalCoreSetup, InternalCoreStart } from '../internal_types'; -import { IConfigService } from '../config'; import { InternalEnvironmentServicePreboot } from '../environment'; /** @internal */ diff --git a/src/core/server/plugins/plugins_system.test.ts b/src/core/server/plugins/plugins_system.test.ts index 7dbbcbba02c20..6d2428c566c7f 100644 --- a/src/core/server/plugins/plugins_system.test.ts +++ b/src/core/server/plugins/plugins_system.test.ts @@ -15,14 +15,15 @@ import { import { BehaviorSubject } from 'rxjs'; import { REPO_ROOT } from '@kbn/utils'; -import type { Logger } from '@kbn/logging'; -import { Env } from '../config'; -import { configServiceMock, getEnvOptions } from '../config/mocks'; -import { CoreContext } from '../core_context'; +import type { PluginName } from '@kbn/core-base-common'; +import type { CoreContext } from '@kbn/core-base-server-internal'; +import { Logger } from '@kbn/logging'; +import { Env } from '@kbn/config'; +import { configServiceMock, getEnvOptions } from '@kbn/config-mocks'; import { loggingSystemMock } from '../logging/logging_system.mock'; import { PluginWrapper } from './plugin'; -import { PluginName, PluginType } from './types'; +import { PluginType } from './types'; import { PluginsSystem } from './plugins_system'; import { coreMock } from '../mocks'; diff --git a/src/core/server/plugins/plugins_system.ts b/src/core/server/plugins/plugins_system.ts index 98d04478ea00f..57db8e7c70f49 100644 --- a/src/core/server/plugins/plugins_system.ts +++ b/src/core/server/plugins/plugins_system.ts @@ -7,10 +7,11 @@ */ import { withTimeout, isPromise } from '@kbn/std'; -import type { Logger } from '@kbn/logging'; -import { CoreContext } from '../core_context'; +import type { PluginName } from '@kbn/core-base-common'; +import type { CoreContext } from '@kbn/core-base-server-internal'; +import { Logger } from '@kbn/logging'; import { PluginWrapper } from './plugin'; -import { DiscoveredPlugin, PluginDependencies, PluginName, PluginType } from './types'; +import { DiscoveredPlugin, PluginDependencies, PluginType } from './types'; import { createPluginPrebootSetupContext, createPluginSetupContext, diff --git a/src/core/server/plugins/types.ts b/src/core/server/plugins/types.ts index 3a6856ddaf08d..c6088e129de73 100644 --- a/src/core/server/plugins/types.ts +++ b/src/core/server/plugins/types.ts @@ -11,14 +11,24 @@ import { Type } from '@kbn/config-schema'; import { RecursiveReadonly } from '@kbn/utility-types'; import { PathConfigType } from '@kbn/utils'; import { LoggerFactory } from '@kbn/logging'; +import type { + ConfigPath, + EnvironmentMode, + PackageInfo, + ConfigDeprecationProvider, +} from '@kbn/config'; +import type { PluginName, PluginOpaqueId, PluginType } from '@kbn/core-base-common'; -import { ConfigPath, EnvironmentMode, PackageInfo, ConfigDeprecationProvider } from '../config'; import { ElasticsearchConfigType } from '../elasticsearch/elasticsearch_config'; import { SavedObjectsConfigType } from '../saved_objects/saved_objects_config'; import { CorePreboot, CoreSetup, CoreStart } from '..'; type Maybe = T | undefined; +// re-exporting for now to avoid adapting all imports, will be removed later on in the migration process +export type { PluginName, PluginOpaqueId, DiscoveredPlugin } from '@kbn/core-base-common'; +export { PluginType } from '@kbn/core-base-common'; + /** * Dedicated type for plugin configuration schema. * @@ -121,29 +131,6 @@ export type MakeUsageFromSchema = { : boolean; }; -/** - * Dedicated type for plugin name/id that is supposed to make Map/Set/Arrays - * that use it as a key or value more obvious. - * - * @public - */ -export type PluginName = string; - -/** @public */ -export type PluginOpaqueId = symbol; - -/** @public */ -export enum PluginType { - /** - * Preboot plugins are special-purpose plugins that only function during preboot stage. - */ - preboot = 'preboot', - /** - * Standard plugins are plugins that start to function as soon as Kibana is fully booted and are active until it shuts down. - */ - standard = 'standard', -} - /** @internal */ export interface PluginDependencies { asNames: ReadonlyMap; @@ -267,59 +254,6 @@ export interface PluginManifest { readonly enabledOnAnonymousPages?: boolean; } -/** - * Small container object used to expose information about discovered plugins that may - * or may not have been started. - * @public - */ -export interface DiscoveredPlugin { - /** - * Identifier of the plugin. - */ - readonly id: PluginName; - - /** - * Root configuration path used by the plugin, defaults to "id" in snake_case format. - */ - readonly configPath: ConfigPath; - - /** - * Type of the plugin, defaults to `standard`. - */ - readonly type: PluginType; - - /** - * An optional list of the other plugins that **must be** installed and enabled - * for this plugin to function properly. - */ - readonly requiredPlugins: readonly PluginName[]; - - /** - * An optional list of the other plugins that if installed and enabled **may be** - * leveraged by this plugin for some additional functionality but otherwise are - * not required for this plugin to work properly. - */ - readonly optionalPlugins: readonly PluginName[]; - - /** - * List of plugin ids that this plugin's UI code imports modules from that are - * not in `requiredPlugins`. - * - * @remarks - * The plugins listed here will be loaded in the browser, even if the plugin is - * disabled. Required by `@kbn/optimizer` to support cross-plugin imports. - * "core" and plugins already listed in `requiredPlugins` do not need to be - * duplicated here. - */ - readonly requiredBundles: readonly PluginName[]; - - /** - * Specifies whether this plugin - and its required dependencies - will be enabled for anonymous pages (login page, status page when - * configured, etc.) Default is false. - */ - readonly enabledOnAnonymousPages?: boolean; -} - /** * @internal */ diff --git a/src/core/server/preboot/preboot_service.test.ts b/src/core/server/preboot/preboot_service.test.ts index e1c42924dac3d..7dc0eac5c4348 100644 --- a/src/core/server/preboot/preboot_service.test.ts +++ b/src/core/server/preboot/preboot_service.test.ts @@ -9,7 +9,7 @@ import { REPO_ROOT } from '@kbn/utils'; import { LoggerFactory } from '@kbn/logging'; import { Env } from '@kbn/config'; -import { getEnvOptions } from '../config/mocks'; +import { getEnvOptions } from '@kbn/config-mocks'; import { configServiceMock, loggingSystemMock } from '../mocks'; import { PrebootService } from './preboot_service'; diff --git a/src/core/server/preboot/preboot_service.ts b/src/core/server/preboot/preboot_service.ts index 5795f4845493d..328f4f2cdd360 100644 --- a/src/core/server/preboot/preboot_service.ts +++ b/src/core/server/preboot/preboot_service.ts @@ -6,8 +6,8 @@ * Side Public License, v 1. */ -import { Logger } from '@kbn/logging'; -import { CoreContext } from '../core_context'; +import type { Logger } from '@kbn/logging'; +import type { CoreContext } from '@kbn/core-base-server-internal'; import { InternalPrebootServicePreboot } from './types'; /** @internal */ diff --git a/src/core/server/preboot/types.ts b/src/core/server/preboot/types.ts index 61abc327c9ddb..4d36eeb569429 100644 --- a/src/core/server/preboot/types.ts +++ b/src/core/server/preboot/types.ts @@ -6,7 +6,7 @@ * Side Public License, v 1. */ -import { PluginName } from '..'; +import type { PluginName } from '@kbn/core-base-common'; /** @internal */ export interface InternalPrebootServicePreboot { diff --git a/src/core/server/rendering/index.ts b/src/core/server/rendering/index.ts index ce38cfab16de0..6cf0e2a74aa1f 100644 --- a/src/core/server/rendering/index.ts +++ b/src/core/server/rendering/index.ts @@ -8,7 +8,6 @@ export { RenderingService } from './rendering_service'; export type { - InjectedMetadata, InternalRenderingServicePreboot, InternalRenderingServiceSetup, IRenderOptions, diff --git a/src/core/server/rendering/rendering_service.tsx b/src/core/server/rendering/rendering_service.tsx index 3e50aac6fcbdd..2ce22b731b5e5 100644 --- a/src/core/server/rendering/rendering_service.tsx +++ b/src/core/server/rendering/rendering_service.tsx @@ -13,8 +13,8 @@ import { i18n } from '@kbn/i18n'; import type { ThemeVersion } from '@kbn/ui-shared-deps-npm'; import { firstValueFrom, of } from 'rxjs'; +import type { CoreContext } from '@kbn/core-base-server-internal'; import type { UiPlugins } from '../plugins'; -import { CoreContext } from '../core_context'; import { Template } from './views'; import { IRenderOptions, diff --git a/src/core/server/rendering/types.ts b/src/core/server/rendering/types.ts index 82758018b859d..c665df5d84d73 100644 --- a/src/core/server/rendering/types.ts +++ b/src/core/server/rendering/types.ts @@ -8,15 +8,13 @@ import { i18n } from '@kbn/i18n'; import type { ThemeVersion } from '@kbn/ui-shared-deps-npm'; - +import type { InjectedMetadata } from '@kbn/core-injected-metadata-common-internal'; import { InternalElasticsearchServiceSetup } from '../elasticsearch'; -import { EnvironmentMode, PackageInfo } from '../config'; import { ICspConfig } from '../csp'; import { InternalHttpServicePreboot, InternalHttpServiceSetup, KibanaRequest } from '../http'; -import { UiPlugins, DiscoveredPlugin } from '../plugins'; -import { IUiSettingsClient, UserProvidedValues } from '../ui_settings'; +import { UiPlugins } from '../plugins'; +import { IUiSettingsClient } from '../ui_settings'; import type { InternalStatusServiceSetup } from '../status'; -import { IExternalUrlPolicy } from '../external_url'; /** @internal */ export interface RenderingMetadata { @@ -31,47 +29,6 @@ export interface RenderingMetadata { injectedMetadata: InjectedMetadata; } -/** @internal */ -export interface InjectedMetadata { - version: string; - buildNumber: number; - branch: string; - basePath: string; - serverBasePath: string; - publicBaseUrl?: string; - clusterInfo: { - cluster_uuid?: string; - cluster_name?: string; - cluster_version?: string; - }; - env: { - mode: EnvironmentMode; - packageInfo: PackageInfo; - }; - anonymousStatusPage: boolean; - i18n: { - translationsUrl: string; - }; - theme: { - darkMode: boolean; - version: ThemeVersion; - }; - csp: Pick; - externalUrl: { policy: IExternalUrlPolicy[] }; - vars: Record; - uiPlugins: Array<{ - id: string; - plugin: DiscoveredPlugin; - config?: Record; - }>; - legacyMetadata: { - uiSettings: { - defaults: Record; - user: Record>; - }; - }; -} - /** @internal */ export interface RenderingPrebootDeps { http: InternalHttpServicePreboot; diff --git a/src/core/server/root/index.test.mocks.ts b/src/core/server/root/index.test.mocks.ts index dc67bccf6dabb..ee4f9e9676904 100644 --- a/src/core/server/root/index.test.mocks.ts +++ b/src/core/server/root/index.test.mocks.ts @@ -14,7 +14,7 @@ jest.doMock('../logging/logging_system', () => ({ const realKbnConfig = jest.requireActual('@kbn/config'); -import { configServiceMock, rawConfigServiceMock } from '../config/mocks'; +import { configServiceMock, rawConfigServiceMock } from '@kbn/config-mocks'; export const configService = configServiceMock.create(); export const rawConfigService = rawConfigServiceMock.create(); jest.doMock('@kbn/config', () => ({ diff --git a/src/core/server/root/index.test.ts b/src/core/server/root/index.test.ts index 6ea3e05b9c2c2..707975affd2b8 100644 --- a/src/core/server/root/index.test.ts +++ b/src/core/server/root/index.test.ts @@ -11,9 +11,9 @@ import { rawConfigService, configService, logger, mockServer } from './index.tes import { BehaviorSubject } from 'rxjs'; import { filter, first } from 'rxjs/operators'; import { REPO_ROOT } from '@kbn/utils'; -import { getEnvOptions } from '../config/mocks'; +import { Env } from '@kbn/config'; +import { getEnvOptions } from '@kbn/config-mocks'; import { Root } from '.'; -import { Env } from '../config'; const env = Env.createDefault(REPO_ROOT, getEnvOptions()); diff --git a/src/core/server/root/index.ts b/src/core/server/root/index.ts index 8804a31977aab..530d37623cc11 100644 --- a/src/core/server/root/index.ts +++ b/src/core/server/root/index.ts @@ -9,7 +9,7 @@ import { ConnectableObservable, Subscription } from 'rxjs'; import { first, publishReplay, switchMap, concatMap, tap } from 'rxjs/operators'; import type { Logger, LoggerFactory } from '@kbn/logging'; -import { Env, RawConfigurationProvider } from '../config'; +import { Env, RawConfigurationProvider } from '@kbn/config'; import { LoggingConfigType, LoggingSystem } from '../logging'; import { Server } from '../server'; diff --git a/src/core/server/saved_objects/deprecations/unknown_object_types.test.ts b/src/core/server/saved_objects/deprecations/unknown_object_types.test.ts index 533ada6078caa..84a8d94f8bf2c 100644 --- a/src/core/server/saved_objects/deprecations/unknown_object_types.test.ts +++ b/src/core/server/saved_objects/deprecations/unknown_object_types.test.ts @@ -8,21 +8,11 @@ import { getIndexForTypeMock } from './unknown_object_types.test.mocks'; -import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import { deleteUnknownTypeObjects, getUnknownTypesDeprecations } from './unknown_object_types'; import { typeRegistryMock } from '../saved_objects_type_registry.mock'; import { elasticsearchClientMock } from '../../elasticsearch/client/mocks'; import { SavedObjectsType } from '../..'; - -const createSearchResponse = (count: number): estypes.SearchResponse => { - return { - hits: { - total: count, - max_score: 0, - hits: new Array(count).fill({}), - }, - } as estypes.SearchResponse; -}; +import { createAggregateTypesSearchResponse } from '../migrations/actions/check_for_unknown_docs.mocks'; describe('unknown saved object types deprecation', () => { const kibanaVersion = '8.0.0'; @@ -48,7 +38,7 @@ describe('unknown saved object types deprecation', () => { describe('getUnknownTypesDeprecations', () => { beforeEach(() => { - esClient.asInternalUser.search.mockResponse(createSearchResponse(0)); + esClient.asInternalUser.search.mockResponse(createAggregateTypesSearchResponse()); }); it('calls `esClient.asInternalUser.search` with the correct parameters', async () => { @@ -62,19 +52,36 @@ describe('unknown saved object types deprecation', () => { expect(esClient.asInternalUser.search).toHaveBeenCalledTimes(1); expect(esClient.asInternalUser.search).toHaveBeenCalledWith({ index: ['foo-index', 'bar-index'], - body: { - size: 10000, - query: { - bool: { - must_not: [{ term: { type: 'foo' } }, { term: { type: 'bar' } }], + size: 0, + aggs: { + typesAggregation: { + terms: { + missing: '__UNKNOWN__', + field: 'type', + size: 1000, }, + aggs: { + docs: { + top_hits: { + size: 100, + _source: { + excludes: ['*'], + }, + }, + }, + }, + }, + }, + query: { + bool: { + must_not: [{ term: { type: 'foo' } }, { term: { type: 'bar' } }], }, }, }); }); it('returns no deprecation if no unknown type docs are found', async () => { - esClient.asInternalUser.search.mockResponse(createSearchResponse(0)); + esClient.asInternalUser.search.mockResponse(createAggregateTypesSearchResponse()); const deprecations = await getUnknownTypesDeprecations({ esClient, @@ -87,7 +94,13 @@ describe('unknown saved object types deprecation', () => { }); it('returns a deprecation if any unknown type docs are found', async () => { - esClient.asInternalUser.search.mockResponse(createSearchResponse(1)); + esClient.asInternalUser.search.mockResponse( + createAggregateTypesSearchResponse({ + someType: ['id1', 'id2'], + anotherType: ['id3'], + __UNKNOWN__: ['id4'], + }) + ); const deprecations = await getUnknownTypesDeprecations({ esClient, @@ -125,6 +138,7 @@ describe('unknown saved object types deprecation', () => { }); expect(esClient.asInternalUser.deleteByQuery).toHaveBeenCalledTimes(1); + expect(esClient.asInternalUser.deleteByQuery).toHaveBeenCalledWith({ index: ['foo-index', 'bar-index'], wait_for_completion: false, diff --git a/src/core/server/saved_objects/deprecations/unknown_object_types.ts b/src/core/server/saved_objects/deprecations/unknown_object_types.ts index 28dbc4dcd41fa..9e48c84860b48 100644 --- a/src/core/server/saved_objects/deprecations/unknown_object_types.ts +++ b/src/core/server/saved_objects/deprecations/unknown_object_types.ts @@ -6,12 +6,12 @@ * Side Public License, v 1. */ -import * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import { i18n } from '@kbn/i18n'; import type { DeprecationsDetails } from '../../deprecations'; import { IScopedClusterClient } from '../../elasticsearch'; +import { getAggregatedTypesDocuments } from '../migrations/actions/check_for_unknown_docs'; +import { addExcludedTypesToBoolQuery } from '../migrations/model/helpers'; import { ISavedObjectTypeRegistry } from '../saved_objects_type_registry'; -import { SavedObjectsRawDocSource } from '../serialization'; import { getIndexForType } from '../service/lib'; interface UnknownTypesDeprecationOptions { @@ -49,16 +49,6 @@ const getTargetIndices = ({ ]; }; -const getUnknownTypesQuery = (knownTypes: string[]): estypes.QueryDslQueryContainer => { - return { - bool: { - must_not: knownTypes.map((type) => ({ - term: { type }, - })), - }, - }; -}; - const getUnknownSavedObjects = async ({ typeRegistry, esClient, @@ -72,18 +62,12 @@ const getUnknownSavedObjects = async ({ kibanaIndex, kibanaVersion, }); - const query = getUnknownTypesQuery(knownTypes); - - const body = await esClient.asInternalUser.search({ - index: targetIndices, - body: { - size: 10000, - query, - }, - }); - const { hits: unknownDocs } = body.hits; - - return unknownDocs.map((doc) => ({ id: doc._id, type: doc._source?.type ?? 'unknown' })); + const excludeRegisteredTypes = addExcludedTypesToBoolQuery(knownTypes); + return await getAggregatedTypesDocuments( + esClient.asInternalUser, + targetIndices, + excludeRegisteredTypes + ); }; export const getUnknownTypesDeprecations = async ( @@ -149,13 +133,13 @@ export const deleteUnknownTypeObjects = async ({ kibanaIndex, kibanaVersion, }); - const query = getUnknownTypesQuery(knownTypes); + const nonRegisteredTypesQuery = addExcludedTypesToBoolQuery(knownTypes); await esClient.asInternalUser.deleteByQuery({ index: targetIndices, wait_for_completion: false, body: { - query, + query: nonRegisteredTypesQuery, }, }); }; diff --git a/src/core/server/saved_objects/migrations/__snapshots__/migrations_state_action_machine.test.ts.snap b/src/core/server/saved_objects/migrations/__snapshots__/migrations_state_action_machine.test.ts.snap index 971e2d9129d47..a812c07ba3786 100644 --- a/src/core/server/saved_objects/migrations/__snapshots__/migrations_state_action_machine.test.ts.snap +++ b/src/core/server/saved_objects/migrations/__snapshots__/migrations_state_action_machine.test.ts.snap @@ -20,54 +20,9 @@ Object { "batchSize": 1000, "controlState": "LEGACY_REINDEX", "currentAlias": ".my-so-index", + "discardUnknownObjects": false, "excludeFromUpgradeFilterHooks": Object {}, - "indexPrefix": ".my-so-index", - "kibanaVersion": "7.11.0", - "knownTypes": Array [], - "legacyIndex": ".my-so-index", - "logs": Array [ - Object { - "level": "info", - "message": "Log from LEGACY_REINDEX control state", - }, - ], - "maxBatchSizeBytes": 100000000, - "migrationDocLinks": Object { - "clusterShardLimitExceeded": "https://www.elastic.co/guide/en/kibana/test-branch/resolve-migrations-failures.html#cluster-shard-limit-exceeded", - "repeatedTimeoutRequests": "https://www.elastic.co/guide/en/kibana/test-branch/resolve-migrations-failures.html#_repeated_time_out_requests_that_eventually_fail", - "resolveMigrationFailures": "https://www.elastic.co/guide/en/kibana/test-branch/resolve-migrations-failures.html", - "routingAllocationDisabled": "https://www.elastic.co/guide/en/kibana/test-branch/resolve-migrations-failures.html#routing-allocation-disabled", - }, - "outdatedDocuments": Array [], - "outdatedDocumentsQuery": Object { - "bool": Object { - "should": Array [], - }, - }, - "preMigrationScript": Object { - "_tag": "None", - }, - "retryAttempts": 5, - "retryCount": 0, - "retryDelay": 0, - "targetIndexMappings": Object { - "properties": Object {}, - }, - "tempIndex": ".my-so-index_7.11.0_reindex_temp", - "tempIndexMappings": Object { - "dynamic": false, - "properties": Object { - "migrationVersion": Object { - "dynamic": "true", - "type": "object", - }, - "type": Object { - "type": "keyword", - }, - }, - }, - "transformedDocBatches": Array [], - "unusedTypesQuery": Object { + "excludeOnUpgradeQuery": Object { "bool": Object { "must_not": Array [ Object { @@ -164,31 +119,6 @@ Object { ], }, }, - "versionAlias": ".my-so-index_7.11.0", - "versionIndex": ".my-so-index_7.11.0_001", - }, - }, - }, - }, - ], - Array [ - "[.my-so-index] LEGACY_REINDEX RESPONSE", - Object { - "_tag": "Right", - "right": "response", - }, - ], - Array [ - "[.my-so-index] LEGACY_REINDEX -> LEGACY_DELETE. took: 0ms.", - Object { - "kibana": Object { - "migrations": Object { - "duration": 0, - "state": Object { - "batchSize": 1000, - "controlState": "LEGACY_DELETE", - "currentAlias": ".my-so-index", - "excludeFromUpgradeFilterHooks": Object {}, "indexPrefix": ".my-so-index", "kibanaVersion": "7.11.0", "knownTypes": Array [], @@ -198,10 +128,6 @@ Object { "level": "info", "message": "Log from LEGACY_REINDEX control state", }, - Object { - "level": "info", - "message": "Log from LEGACY_DELETE control state", - }, ], "maxBatchSizeBytes": 100000000, "migrationDocLinks": Object { @@ -239,7 +165,33 @@ Object { }, }, "transformedDocBatches": Array [], - "unusedTypesQuery": Object { + "versionAlias": ".my-so-index_7.11.0", + "versionIndex": ".my-so-index_7.11.0_001", + }, + }, + }, + }, + ], + Array [ + "[.my-so-index] LEGACY_REINDEX RESPONSE", + Object { + "_tag": "Right", + "right": "response", + }, + ], + Array [ + "[.my-so-index] LEGACY_REINDEX -> LEGACY_DELETE. took: 0ms.", + Object { + "kibana": Object { + "migrations": Object { + "duration": 0, + "state": Object { + "batchSize": 1000, + "controlState": "LEGACY_DELETE", + "currentAlias": ".my-so-index", + "discardUnknownObjects": false, + "excludeFromUpgradeFilterHooks": Object {}, + "excludeOnUpgradeQuery": Object { "bool": Object { "must_not": Array [ Object { @@ -336,31 +288,6 @@ Object { ], }, }, - "versionAlias": ".my-so-index_7.11.0", - "versionIndex": ".my-so-index_7.11.0_001", - }, - }, - }, - }, - ], - Array [ - "[.my-so-index] LEGACY_DELETE RESPONSE", - Object { - "_tag": "Right", - "right": "response", - }, - ], - Array [ - "[.my-so-index] LEGACY_DELETE -> LEGACY_DELETE. took: 0ms.", - Object { - "kibana": Object { - "migrations": Object { - "duration": 0, - "state": Object { - "batchSize": 1000, - "controlState": "LEGACY_DELETE", - "currentAlias": ".my-so-index", - "excludeFromUpgradeFilterHooks": Object {}, "indexPrefix": ".my-so-index", "kibanaVersion": "7.11.0", "knownTypes": Array [], @@ -374,10 +301,6 @@ Object { "level": "info", "message": "Log from LEGACY_DELETE control state", }, - Object { - "level": "info", - "message": "Log from LEGACY_DELETE control state", - }, ], "maxBatchSizeBytes": 100000000, "migrationDocLinks": Object { @@ -415,7 +338,33 @@ Object { }, }, "transformedDocBatches": Array [], - "unusedTypesQuery": Object { + "versionAlias": ".my-so-index_7.11.0", + "versionIndex": ".my-so-index_7.11.0_001", + }, + }, + }, + }, + ], + Array [ + "[.my-so-index] LEGACY_DELETE RESPONSE", + Object { + "_tag": "Right", + "right": "response", + }, + ], + Array [ + "[.my-so-index] LEGACY_DELETE -> LEGACY_DELETE. took: 0ms.", + Object { + "kibana": Object { + "migrations": Object { + "duration": 0, + "state": Object { + "batchSize": 1000, + "controlState": "LEGACY_DELETE", + "currentAlias": ".my-so-index", + "discardUnknownObjects": false, + "excludeFromUpgradeFilterHooks": Object {}, + "excludeOnUpgradeQuery": Object { "bool": Object { "must_not": Array [ Object { @@ -512,31 +461,6 @@ Object { ], }, }, - "versionAlias": ".my-so-index_7.11.0", - "versionIndex": ".my-so-index_7.11.0_001", - }, - }, - }, - }, - ], - Array [ - "[.my-so-index] LEGACY_DELETE RESPONSE", - Object { - "_tag": "Right", - "right": "response", - }, - ], - Array [ - "[.my-so-index] LEGACY_DELETE -> DONE. took: 0ms.", - Object { - "kibana": Object { - "migrations": Object { - "duration": 0, - "state": Object { - "batchSize": 1000, - "controlState": "DONE", - "currentAlias": ".my-so-index", - "excludeFromUpgradeFilterHooks": Object {}, "indexPrefix": ".my-so-index", "kibanaVersion": "7.11.0", "knownTypes": Array [], @@ -554,10 +478,6 @@ Object { "level": "info", "message": "Log from LEGACY_DELETE control state", }, - Object { - "level": "info", - "message": "Log from DONE control state", - }, ], "maxBatchSizeBytes": 100000000, "migrationDocLinks": Object { @@ -595,7 +515,33 @@ Object { }, }, "transformedDocBatches": Array [], - "unusedTypesQuery": Object { + "versionAlias": ".my-so-index_7.11.0", + "versionIndex": ".my-so-index_7.11.0_001", + }, + }, + }, + }, + ], + Array [ + "[.my-so-index] LEGACY_DELETE RESPONSE", + Object { + "_tag": "Right", + "right": "response", + }, + ], + Array [ + "[.my-so-index] LEGACY_DELETE -> DONE. took: 0ms.", + Object { + "kibana": Object { + "migrations": Object { + "duration": 0, + "state": Object { + "batchSize": 1000, + "controlState": "DONE", + "currentAlias": ".my-so-index", + "discardUnknownObjects": false, + "excludeFromUpgradeFilterHooks": Object {}, + "excludeOnUpgradeQuery": Object { "bool": Object { "must_not": Array [ Object { @@ -692,6 +638,64 @@ Object { ], }, }, + "indexPrefix": ".my-so-index", + "kibanaVersion": "7.11.0", + "knownTypes": Array [], + "legacyIndex": ".my-so-index", + "logs": Array [ + Object { + "level": "info", + "message": "Log from LEGACY_REINDEX control state", + }, + Object { + "level": "info", + "message": "Log from LEGACY_DELETE control state", + }, + Object { + "level": "info", + "message": "Log from LEGACY_DELETE control state", + }, + Object { + "level": "info", + "message": "Log from DONE control state", + }, + ], + "maxBatchSizeBytes": 100000000, + "migrationDocLinks": Object { + "clusterShardLimitExceeded": "https://www.elastic.co/guide/en/kibana/test-branch/resolve-migrations-failures.html#cluster-shard-limit-exceeded", + "repeatedTimeoutRequests": "https://www.elastic.co/guide/en/kibana/test-branch/resolve-migrations-failures.html#_repeated_time_out_requests_that_eventually_fail", + "resolveMigrationFailures": "https://www.elastic.co/guide/en/kibana/test-branch/resolve-migrations-failures.html", + "routingAllocationDisabled": "https://www.elastic.co/guide/en/kibana/test-branch/resolve-migrations-failures.html#routing-allocation-disabled", + }, + "outdatedDocuments": Array [], + "outdatedDocumentsQuery": Object { + "bool": Object { + "should": Array [], + }, + }, + "preMigrationScript": Object { + "_tag": "None", + }, + "retryAttempts": 5, + "retryCount": 0, + "retryDelay": 0, + "targetIndexMappings": Object { + "properties": Object {}, + }, + "tempIndex": ".my-so-index_7.11.0_reindex_temp", + "tempIndexMappings": Object { + "dynamic": false, + "properties": Object { + "migrationVersion": Object { + "dynamic": "true", + "type": "object", + }, + "type": Object { + "type": "keyword", + }, + }, + }, + "transformedDocBatches": Array [], "versionAlias": ".my-so-index_7.11.0", "versionIndex": ".my-so-index_7.11.0_001", }, @@ -754,65 +758,9 @@ Object { "batchSize": 1000, "controlState": "LEGACY_DELETE", "currentAlias": ".my-so-index", + "discardUnknownObjects": false, "excludeFromUpgradeFilterHooks": Object {}, - "indexPrefix": ".my-so-index", - "kibanaVersion": "7.11.0", - "knownTypes": Array [], - "legacyIndex": ".my-so-index", - "logs": Array [ - Object { - "level": "info", - "message": "Log from LEGACY_DELETE control state", - }, - ], - "maxBatchSizeBytes": 100000000, - "migrationDocLinks": Object { - "clusterShardLimitExceeded": "https://www.elastic.co/guide/en/kibana/test-branch/resolve-migrations-failures.html#cluster-shard-limit-exceeded", - "repeatedTimeoutRequests": "https://www.elastic.co/guide/en/kibana/test-branch/resolve-migrations-failures.html#_repeated_time_out_requests_that_eventually_fail", - "resolveMigrationFailures": "https://www.elastic.co/guide/en/kibana/test-branch/resolve-migrations-failures.html", - "routingAllocationDisabled": "https://www.elastic.co/guide/en/kibana/test-branch/resolve-migrations-failures.html#routing-allocation-disabled", - }, - "outdatedDocuments": Array [ - Object { - "_id": "1234", - }, - ], - "outdatedDocumentsQuery": Object { - "bool": Object { - "should": Array [], - }, - }, - "preMigrationScript": Object { - "_tag": "None", - }, - "reason": "the fatal reason", - "retryAttempts": 5, - "retryCount": 0, - "retryDelay": 0, - "targetIndexMappings": Object { - "properties": Object {}, - }, - "tempIndex": ".my-so-index_7.11.0_reindex_temp", - "tempIndexMappings": Object { - "dynamic": false, - "properties": Object { - "migrationVersion": Object { - "dynamic": "true", - "type": "object", - }, - "type": Object { - "type": "keyword", - }, - }, - }, - "transformedDocBatches": Array [ - Array [ - Object { - "_id": "1234", - }, - ], - ], - "unusedTypesQuery": Object { + "excludeOnUpgradeQuery": Object { "bool": Object { "must_not": Array [ Object { @@ -909,31 +857,6 @@ Object { ], }, }, - "versionAlias": ".my-so-index_7.11.0", - "versionIndex": ".my-so-index_7.11.0_001", - }, - }, - }, - }, - ], - Array [ - "[.my-so-index] LEGACY_DELETE RESPONSE", - Object { - "_tag": "Right", - "right": "response", - }, - ], - Array [ - "[.my-so-index] LEGACY_DELETE -> FATAL. took: 0ms.", - Object { - "kibana": Object { - "migrations": Object { - "duration": 0, - "state": Object { - "batchSize": 1000, - "controlState": "FATAL", - "currentAlias": ".my-so-index", - "excludeFromUpgradeFilterHooks": Object {}, "indexPrefix": ".my-so-index", "kibanaVersion": "7.11.0", "knownTypes": Array [], @@ -943,10 +866,6 @@ Object { "level": "info", "message": "Log from LEGACY_DELETE control state", }, - Object { - "level": "info", - "message": "Log from FATAL control state", - }, ], "maxBatchSizeBytes": 100000000, "migrationDocLinks": Object { @@ -995,7 +914,33 @@ Object { }, ], ], - "unusedTypesQuery": Object { + "versionAlias": ".my-so-index_7.11.0", + "versionIndex": ".my-so-index_7.11.0_001", + }, + }, + }, + }, + ], + Array [ + "[.my-so-index] LEGACY_DELETE RESPONSE", + Object { + "_tag": "Right", + "right": "response", + }, + ], + Array [ + "[.my-so-index] LEGACY_DELETE -> FATAL. took: 0ms.", + Object { + "kibana": Object { + "migrations": Object { + "duration": 0, + "state": Object { + "batchSize": 1000, + "controlState": "FATAL", + "currentAlias": ".my-so-index", + "discardUnknownObjects": false, + "excludeFromUpgradeFilterHooks": Object {}, + "excludeOnUpgradeQuery": Object { "bool": Object { "must_not": Array [ Object { @@ -1092,6 +1037,67 @@ Object { ], }, }, + "indexPrefix": ".my-so-index", + "kibanaVersion": "7.11.0", + "knownTypes": Array [], + "legacyIndex": ".my-so-index", + "logs": Array [ + Object { + "level": "info", + "message": "Log from LEGACY_DELETE control state", + }, + Object { + "level": "info", + "message": "Log from FATAL control state", + }, + ], + "maxBatchSizeBytes": 100000000, + "migrationDocLinks": Object { + "clusterShardLimitExceeded": "https://www.elastic.co/guide/en/kibana/test-branch/resolve-migrations-failures.html#cluster-shard-limit-exceeded", + "repeatedTimeoutRequests": "https://www.elastic.co/guide/en/kibana/test-branch/resolve-migrations-failures.html#_repeated_time_out_requests_that_eventually_fail", + "resolveMigrationFailures": "https://www.elastic.co/guide/en/kibana/test-branch/resolve-migrations-failures.html", + "routingAllocationDisabled": "https://www.elastic.co/guide/en/kibana/test-branch/resolve-migrations-failures.html#routing-allocation-disabled", + }, + "outdatedDocuments": Array [ + Object { + "_id": "1234", + }, + ], + "outdatedDocumentsQuery": Object { + "bool": Object { + "should": Array [], + }, + }, + "preMigrationScript": Object { + "_tag": "None", + }, + "reason": "the fatal reason", + "retryAttempts": 5, + "retryCount": 0, + "retryDelay": 0, + "targetIndexMappings": Object { + "properties": Object {}, + }, + "tempIndex": ".my-so-index_7.11.0_reindex_temp", + "tempIndexMappings": Object { + "dynamic": false, + "properties": Object { + "migrationVersion": Object { + "dynamic": "true", + "type": "object", + }, + "type": Object { + "type": "keyword", + }, + }, + }, + "transformedDocBatches": Array [ + Array [ + Object { + "_id": "1234", + }, + ], + ], "versionAlias": ".my-so-index_7.11.0", "versionIndex": ".my-so-index_7.11.0_001", }, diff --git a/src/core/server/saved_objects/migrations/actions/calculate_exclude_filters.test.ts b/src/core/server/saved_objects/migrations/actions/calculate_exclude_filters.test.ts index 0f41233fd58f2..68bd6c934a80f 100644 --- a/src/core/server/saved_objects/migrations/actions/calculate_exclude_filters.test.ts +++ b/src/core/server/saved_objects/migrations/actions/calculate_exclude_filters.test.ts @@ -28,14 +28,10 @@ describe('calculateExcludeFilters', () => { expect(hook2).toHaveBeenCalledWith({ readonlyEsClient: { search: expect.any(Function) } }); expect(Either.isRight(result)).toBe(true); expect((result as Either.Right).right).toEqual({ - excludeFilter: { - bool: { - must_not: [ - { bool: { must: { term: { fieldA: '123' } } } }, - { bool: { must: { term: { fieldB: 'abc' } } } }, - ], - }, - }, + mustNotClauses: [ + { bool: { must: { term: { fieldA: '123' } } } }, + { bool: { must: { term: { fieldB: 'abc' } } } }, + ], errorsByType: {}, }); }); @@ -53,11 +49,7 @@ describe('calculateExcludeFilters', () => { expect(Either.isRight(result)).toBe(true); expect((result as Either.Right).right).toEqual({ - excludeFilter: { - bool: { - must_not: [{ bool: { must: { term: { fieldB: 'abc' } } } }], - }, - }, + mustNotClauses: [{ bool: { must: { term: { fieldB: 'abc' } } } }], errorsByType: { type1: error }, }); }); @@ -99,11 +91,7 @@ describe('calculateExcludeFilters', () => { expect(Either.isRight(result)).toBe(true); expect((result as Either.Right).right).toEqual({ - excludeFilter: { - bool: { - must_not: [{ bool: { must: { term: { fieldB: 'abc' } } } }], - }, - }, + mustNotClauses: [{ bool: { must: { term: { fieldB: 'abc' } } } }], errorsByType: expect.any(Object), }); expect((result as Either.Right).right.errorsByType.type1.toString()).toMatchInlineSnapshot( diff --git a/src/core/server/saved_objects/migrations/actions/calculate_exclude_filters.ts b/src/core/server/saved_objects/migrations/actions/calculate_exclude_filters.ts index 27ce7bd4c404b..a2cea776792ad 100644 --- a/src/core/server/saved_objects/migrations/actions/calculate_exclude_filters.ts +++ b/src/core/server/saved_objects/migrations/actions/calculate_exclude_filters.ts @@ -6,13 +6,13 @@ * Side Public License, v 1. */ -import * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; +import type { QueryDslQueryContainer } from '@elastic/elasticsearch/lib/api/types'; import { withTimeout } from '@kbn/std'; import * as Either from 'fp-ts/lib/Either'; import * as TaskEither from 'fp-ts/lib/TaskEither'; -import { RetryableEsClientError } from '.'; -import { ElasticsearchClient } from '../../../elasticsearch'; -import { SavedObjectTypeExcludeFromUpgradeFilterHook } from '../../types'; +import type { RetryableEsClientError } from '.'; +import type { ElasticsearchClient } from '../../../elasticsearch'; +import type { SavedObjectTypeExcludeFromUpgradeFilterHook } from '../../types'; import { catchRetryableEsClientErrors } from './catch_retryable_es_client_errors'; export interface CalculateExcludeFiltersParams { @@ -22,8 +22,8 @@ export interface CalculateExcludeFiltersParams { } export interface CalculatedExcludeFilter { - /** Composite filter of all calculated filters */ - excludeFilter: estypes.QueryDslQueryContainer; + /** Array with all the clauses that must be bool.must_not'ed */ + mustNotClauses: QueryDslQueryContainer[]; /** Any errors that were encountered during filter calculation, keyed by the type name */ errorsByType: Record; } @@ -39,7 +39,7 @@ export const calculateExcludeFilters = > => () => { return Promise.all< - | Either.Right + | Either.Right | Either.Left<{ soType: string; error: Error | RetryableEsClientError }> >( Object.entries(excludeFromUpgradeFilterHooks).map(([soType, hook]) => @@ -91,22 +91,17 @@ export const calculateExcludeFilters = } const errorsByType: Array<[string, Error]> = []; - const filters: estypes.QueryDslQueryContainer[] = []; + const mustNotClauses: QueryDslQueryContainer[] = []; // Loop through all results and collect successes and errors results.forEach((r) => Either.isRight(r) - ? filters.push(r.right) + ? mustNotClauses.push(r.right) : Either.isLeft(r) && errorsByType.push([r.left.soType, r.left.error as Error]) ); - // Composite filter from all calculated filters that successfully executed - const excludeFilter: estypes.QueryDslQueryContainer = { - bool: { must_not: filters }, - }; - return Either.right({ - excludeFilter, + mustNotClauses, errorsByType: Object.fromEntries(errorsByType), }); }); diff --git a/src/core/server/saved_objects/migrations/actions/check_for_unknown_docs.mocks.ts b/src/core/server/saved_objects/migrations/actions/check_for_unknown_docs.mocks.ts new file mode 100644 index 0000000000000..a762a9f18e0b6 --- /dev/null +++ b/src/core/server/saved_objects/migrations/actions/check_for_unknown_docs.mocks.ts @@ -0,0 +1,42 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { SearchResponse } from '@elastic/elasticsearch/lib/api/types'; + +interface DocIdsByType { + [type: string]: string[]; +} + +export const createAggregateTypesSearchResponse = (typesIds: DocIdsByType = {}): SearchResponse => { + return { + took: 0, + timed_out: false, + _shards: { + total: 1, + successful: 1, + skipped: 0, + failed: 0, + }, + hits: { + total: { + value: Object.keys(typesIds).length, + relation: 'eq', + }, + max_score: null, + hits: [], + }, + aggregations: { + typesAggregation: { + buckets: Object.entries(typesIds).map(([type, ids]) => ({ + key: type, + docs: { hits: { hits: ids.map((_id) => ({ _id })) } }, + })), + }, + }, + }; +}; diff --git a/src/core/server/saved_objects/migrations/actions/check_for_unknown_docs.test.ts b/src/core/server/saved_objects/migrations/actions/check_for_unknown_docs.test.ts index 4254c152a1fa8..d5c99f01ada33 100644 --- a/src/core/server/saved_objects/migrations/actions/check_for_unknown_docs.test.ts +++ b/src/core/server/saved_objects/migrations/actions/check_for_unknown_docs.test.ts @@ -9,14 +9,15 @@ import * as Either from 'fp-ts/lib/Either'; import { catchRetryableEsClientErrors } from './catch_retryable_es_client_errors'; import { errors as EsErrors } from '@elastic/elasticsearch'; -import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; +import type { QueryDslQueryContainer } from '@elastic/elasticsearch/lib/api/types'; import { elasticsearchClientMock } from '../../../elasticsearch/client/mocks'; import { checkForUnknownDocs } from './check_for_unknown_docs'; +import { createAggregateTypesSearchResponse } from './check_for_unknown_docs.mocks'; jest.mock('./catch_retryable_es_client_errors'); describe('checkForUnknownDocs', () => { - const unusedTypesQuery: estypes.QueryDslQueryContainer = { + const excludeOnUpgradeQuery: QueryDslQueryContainer = { bool: { must: [{ term: { hello: 'dolly' } }] }, }; const knownTypes = ['foo', 'bar']; @@ -41,7 +42,7 @@ describe('checkForUnknownDocs', () => { client, indexName: '.kibana_8.0.0', knownTypes, - unusedTypesQuery, + excludeOnUpgradeQuery, }); try { await task(); @@ -60,7 +61,7 @@ describe('checkForUnknownDocs', () => { client, indexName: '.kibana_8.0.0', knownTypes, - unusedTypesQuery, + excludeOnUpgradeQuery, }); await task(); @@ -68,18 +69,37 @@ describe('checkForUnknownDocs', () => { expect(client.search).toHaveBeenCalledTimes(1); expect(client.search).toHaveBeenCalledWith({ index: '.kibana_8.0.0', - body: { - query: { - bool: { - must: unusedTypesQuery, - must_not: knownTypes.map((type) => ({ - term: { - type, + size: 0, + aggs: { + typesAggregation: { + terms: { + // assign type __UNKNOWN__ to those documents that don't define one + missing: '__UNKNOWN__', + field: 'type', + size: 1000, // collect up to 1000 non-registered types + }, + aggs: { + docs: { + top_hits: { + size: 100, // collect up to 100 docs for each non-registered type + _source: { + excludes: ['*'], + }, }, - })), + }, }, }, }, + query: { + bool: { + ...excludeOnUpgradeQuery.bool, + must_not: knownTypes.map((type) => ({ + term: { + type, + }, + })), + }, + }, }); }); @@ -92,7 +112,7 @@ describe('checkForUnknownDocs', () => { client, indexName: '.kibana_8.0.0', knownTypes, - unusedTypesQuery, + excludeOnUpgradeQuery, }); const result = await task(); @@ -101,59 +121,36 @@ describe('checkForUnknownDocs', () => { expect((result as Either.Right).right).toEqual({}); }); - it('resolves with `Either.left` when unknown docs are found', async () => { - const client = elasticsearchClientMock.createInternalClient( - Promise.resolve({ - hits: { - hits: [ - { _id: '12', _source: { type: 'foo' } }, - { _id: '14', _source: { type: 'bar' } }, - ], - }, - }) - ); - - const task = checkForUnknownDocs({ - client, - indexName: '.kibana_8.0.0', - knownTypes, - unusedTypesQuery, - }); - - const result = await task(); - - expect(Either.isLeft(result)).toBe(true); - expect((result as Either.Left).left).toEqual({ - type: 'unknown_docs_found', - unknownDocs: [ - { id: '12', type: 'foo' }, - { id: '14', type: 'bar' }, - ], - }); - }); - - it('uses `unknown` as the type when the document does not contain a type field', async () => { - const client = elasticsearchClientMock.createInternalClient( - Promise.resolve({ - hits: { - hits: [{ _id: '12', _source: {} }], - }, - }) - ); - - const task = checkForUnknownDocs({ - client, - indexName: '.kibana_8.0.0', - knownTypes, - unusedTypesQuery, - }); - - const result = await task(); - - expect(Either.isLeft(result)).toBe(true); - expect((result as Either.Left).left).toEqual({ - type: 'unknown_docs_found', - unknownDocs: [{ id: '12', type: 'unknown' }], + describe('when unknown doc types are found', () => { + it('resolves with `Either.right`, returning the unknown doc types', async () => { + const client = elasticsearchClientMock.createInternalClient( + Promise.resolve( + createAggregateTypesSearchResponse({ + foo: ['12'], + bar: ['14'], + __UNKNOWN__: ['16'], + }) + ) + ); + + const task = checkForUnknownDocs({ + client, + indexName: '.kibana_8.0.0', + knownTypes, + excludeOnUpgradeQuery, + }); + + const result = await task(); + + expect(Either.isRight(result)).toBe(true); + expect((result as Either.Right).right).toEqual({ + type: 'unknown_docs_found', + unknownDocs: [ + { id: '12', type: 'foo' }, + { id: '14', type: 'bar' }, + { id: '16', type: '__UNKNOWN__' }, + ], + }); }); }); }); diff --git a/src/core/server/saved_objects/migrations/actions/check_for_unknown_docs.ts b/src/core/server/saved_objects/migrations/actions/check_for_unknown_docs.ts index f9e3df9a0443a..b475f47e3d7f2 100644 --- a/src/core/server/saved_objects/migrations/actions/check_for_unknown_docs.ts +++ b/src/core/server/saved_objects/migrations/actions/check_for_unknown_docs.ts @@ -8,24 +8,31 @@ import * as Either from 'fp-ts/lib/Either'; import * as TaskEither from 'fp-ts/lib/TaskEither'; -import * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; +import { flatten } from 'lodash'; +import type { + AggregationsMultiBucketAggregateBase, + Indices, + QueryDslQueryContainer, + SearchRequest, +} from '@elastic/elasticsearch/lib/api/types'; import type { SavedObjectsRawDocSource } from '../../serialization'; -import { ElasticsearchClient } from '../../../elasticsearch'; +import type { ElasticsearchClient } from '../../../elasticsearch'; import { catchRetryableEsClientErrors, - RetryableEsClientError, + type RetryableEsClientError, } from './catch_retryable_es_client_errors'; +import { addExcludedTypesToBoolQuery } from '../model/helpers'; /** @internal */ export interface CheckForUnknownDocsParams { client: ElasticsearchClient; indexName: string; - unusedTypesQuery: estypes.QueryDslQueryContainer; + excludeOnUpgradeQuery: QueryDslQueryContainer; knownTypes: string[]; } /** @internal */ -export interface CheckForUnknownDocsFoundDoc { +export interface DocumentIdAndType { id: string; type: string; } @@ -33,55 +40,90 @@ export interface CheckForUnknownDocsFoundDoc { /** @internal */ export interface UnknownDocsFound { type: 'unknown_docs_found'; - unknownDocs: CheckForUnknownDocsFoundDoc[]; + unknownDocs: DocumentIdAndType[]; +} + +/** + * Performs a search in ES, aggregating documents by type, + * retrieving a bunch of documents for each type. + * @internal + * @param esClient The ES client to perform the search query + * @param targetIndices The ES indices to target + * @param query An optional query that can be used to filter + * @returns A list of documents with their types + */ +export async function getAggregatedTypesDocuments( + esClient: ElasticsearchClient, + targetIndices: Indices, + query?: QueryDslQueryContainer +): Promise { + const params: SearchRequest = { + index: targetIndices, + size: 0, + // apply the desired filters (e.g. filter out registered types) + query, + // aggregate docs by type, so that we have a sneak peak of all types + aggs: { + typesAggregation: { + terms: { + // assign type __UNKNOWN__ to those documents that don't define one + missing: '__UNKNOWN__', + field: 'type', + size: 1000, // collect up to 1000 types + }, + aggs: { + docs: { + top_hits: { + size: 100, // collect up to 100 docs for each type + _source: { + excludes: ['*'], + }, + }, + }, + }, + }, + }, + }; + + const body = await esClient.search(params); + + if (!body.aggregations) return []; + + const { typesAggregation } = body.aggregations; + const buckets = (typesAggregation as AggregationsMultiBucketAggregateBase).buckets; + + const bucketsArray = Array.isArray(buckets) ? buckets : Object.values(buckets); + + return flatten( + bucketsArray.map( + (bucket: any) => + bucket.docs?.hits?.hits?.map((doc: any) => ({ + id: doc._id, + type: bucket.key, + })) || [] + ) + ); } export const checkForUnknownDocs = ({ client, indexName, - unusedTypesQuery, + excludeOnUpgradeQuery, knownTypes, }: CheckForUnknownDocsParams): TaskEither.TaskEither< - RetryableEsClientError | UnknownDocsFound, - {} + RetryableEsClientError, + UnknownDocsFound | {} > => - () => { - const query = createUnknownDocQuery(unusedTypesQuery, knownTypes); - - return client - .search({ - index: indexName, - body: { - query, - }, - }) - .then((body) => { - const { hits } = body.hits; - if (hits.length) { - return Either.left({ - type: 'unknown_docs_found' as const, - unknownDocs: hits.map((hit) => ({ id: hit._id, type: hit._source?.type ?? 'unknown' })), - }); - } else { - return Either.right({}); + async () => { + const excludeQuery = addExcludedTypesToBoolQuery(knownTypes, excludeOnUpgradeQuery.bool); + return getAggregatedTypesDocuments(client, indexName, excludeQuery) + .then((unknownDocs) => { + if (unknownDocs.length) { + return Either.right({ type: 'unknown_docs_found' as const, unknownDocs }); } + + return Either.right({}); }) .catch(catchRetryableEsClientErrors); }; - -const createUnknownDocQuery = ( - unusedTypesQuery: estypes.QueryDslQueryContainer, - knownTypes: string[] -): estypes.QueryDslQueryContainer => { - return { - bool: { - must: unusedTypesQuery, - must_not: knownTypes.map((type) => ({ - term: { - type, - }, - })), - }, - }; -}; diff --git a/src/core/server/saved_objects/migrations/actions/index.ts b/src/core/server/saved_objects/migrations/actions/index.ts index 3a387d764fa4c..4ac6bfa24fee6 100644 --- a/src/core/server/saved_objects/migrations/actions/index.ts +++ b/src/core/server/saved_objects/migrations/actions/index.ts @@ -93,7 +93,7 @@ import { ClusterShardLimitExceeded } from './create_index'; export type { CheckForUnknownDocsParams, UnknownDocsFound, - CheckForUnknownDocsFoundDoc, + DocumentIdAndType, } from './check_for_unknown_docs'; export { checkForUnknownDocs } from './check_for_unknown_docs'; @@ -160,7 +160,7 @@ export interface ActionErrorTypeMap { /** * Type guard for narrowing the type of a left */ -export function isLeftTypeof( +export function isTypeof( res: any, typeString: T ): res is ActionErrorTypeMap[T] { diff --git a/src/core/server/saved_objects/migrations/actions/integration_tests/actions.test.ts b/src/core/server/saved_objects/migrations/actions/integration_tests/actions.test.ts index d47d53aa367e7..a799ced0ffe39 100644 --- a/src/core/server/saved_objects/migrations/actions/integration_tests/actions.test.ts +++ b/src/core/server/saved_objects/migrations/actions/integration_tests/actions.test.ts @@ -6,42 +6,42 @@ * Side Public License, v 1. */ -import { ElasticsearchClient } from '../../../..'; +import Path from 'path'; +import * as Either from 'fp-ts/lib/Either'; +import * as Option from 'fp-ts/lib/Option'; +import { errors } from '@elastic/elasticsearch'; +import type { TaskEither } from 'fp-ts/lib/TaskEither'; +import type { ElasticsearchClient } from '../../../..'; import * as kbnTestServer from '../../../../../test_helpers/kbn_server'; -import { SavedObjectsRawDoc } from '../../../serialization'; +import type { SavedObjectsRawDoc } from '../../../serialization'; import { bulkOverwriteTransformedDocuments, cloneIndex, closePit, createIndex, openPit, - OpenPitResponse, + type OpenPitResponse, reindex, readWithPit, - ReadWithPit, + type ReadWithPit, searchForOutdatedDocuments, SearchResponse, setWriteBlock, updateAliases, waitForReindexTask, - ReindexResponse, + type ReindexResponse, waitForPickupUpdatedMappingsTask, pickupUpdatedMappings, - UpdateByQueryResponse, + type UpdateByQueryResponse, updateAndPickupMappings, - UpdateAndPickupMappingsResponse, + type UpdateAndPickupMappingsResponse, verifyReindex, removeWriteBlock, transformDocs, waitForIndexStatusYellow, initAction, } from '..'; -import * as Either from 'fp-ts/lib/Either'; -import * as Option from 'fp-ts/lib/Option'; -import { errors } from '@elastic/elasticsearch'; -import { DocumentsTransformFailed, DocumentsTransformSuccess } from '../../core'; -import { TaskEither } from 'fp-ts/lib/TaskEither'; -import Path from 'path'; +import type { DocumentsTransformFailed, DocumentsTransformSuccess } from '../../core'; const { startES } = kbnTestServer.createTestServers({ adjustTimeout: (t: number) => jest.setTimeout(t), @@ -610,7 +610,7 @@ describe('migration actions', () => { targetIndex: 'reindex_target', reindexScript: Option.none, requireAlias: false, - unusedTypesQuery: { match_all: {} }, + excludeOnUpgradeQuery: { match_all: {} }, })()) as Either.Right; const task = waitForReindexTask({ client, taskId: res.right.taskId, timeout: '10s' }); await expect(task()).resolves.toMatchInlineSnapshot(` @@ -637,14 +637,14 @@ describe('migration actions', () => { ] `); }); - it('resolves right and excludes all documents not matching the unusedTypesQuery', async () => { + it('resolves right and excludes all documents not matching the excludeOnUpgradeQuery', async () => { const res = (await reindex({ client, sourceIndex: 'existing_index_with_docs', targetIndex: 'reindex_target_excluded_docs', reindexScript: Option.none, requireAlias: false, - unusedTypesQuery: { + excludeOnUpgradeQuery: { bool: { must_not: ['f_agent_event', 'another_unused_type'].map((type) => ({ term: { type }, @@ -683,7 +683,7 @@ describe('migration actions', () => { targetIndex: 'reindex_target_2', reindexScript: Option.some(`ctx._source.title = ctx._source.title + '_updated'`), requireAlias: false, - unusedTypesQuery: { match_all: {} }, + excludeOnUpgradeQuery: { match_all: {} }, })()) as Either.Right; const task = waitForReindexTask({ client, taskId: res.right.taskId, timeout: '10s' }); await expect(task()).resolves.toMatchInlineSnapshot(` @@ -718,7 +718,7 @@ describe('migration actions', () => { targetIndex: 'reindex_target_3', reindexScript: Option.some(`ctx._source.title = ctx._source.title + '_updated'`), requireAlias: false, - unusedTypesQuery: { match_all: {} }, + excludeOnUpgradeQuery: { match_all: {} }, })()) as Either.Right; let task = waitForReindexTask({ client, taskId: res.right.taskId, timeout: '10s' }); await expect(task()).resolves.toMatchInlineSnapshot(` @@ -735,7 +735,7 @@ describe('migration actions', () => { targetIndex: 'reindex_target_3', reindexScript: Option.none, requireAlias: false, - unusedTypesQuery: { match_all: {} }, + excludeOnUpgradeQuery: { match_all: {} }, })()) as Either.Right; task = waitForReindexTask({ client, taskId: res.right.taskId, timeout: '10s' }); await expect(task()).resolves.toMatchInlineSnapshot(` @@ -794,7 +794,7 @@ describe('migration actions', () => { targetIndex: 'reindex_target_4', reindexScript: Option.some(`ctx._source.title = ctx._source.title + '_updated'`), requireAlias: false, - unusedTypesQuery: { match_all: {} }, + excludeOnUpgradeQuery: { match_all: {} }, })()) as Either.Right; const task = waitForReindexTask({ client, taskId: res.right.taskId, timeout: '10s' }); await expect(task()).resolves.toMatchInlineSnapshot(` @@ -850,7 +850,7 @@ describe('migration actions', () => { targetIndex: 'reindex_target_5', reindexScript: Option.none, requireAlias: false, - unusedTypesQuery: { match_all: {} }, + excludeOnUpgradeQuery: { match_all: {} }, })()) as Either.Right; const task = waitForReindexTask({ client, taskId: reindexTaskId, timeout: '10s' }); @@ -889,7 +889,7 @@ describe('migration actions', () => { targetIndex: 'reindex_target_6', reindexScript: Option.none, requireAlias: false, - unusedTypesQuery: { match_all: {} }, + excludeOnUpgradeQuery: { match_all: {} }, })()) as Either.Right; const task = waitForReindexTask({ client, taskId: reindexTaskId, timeout: '10s' }); @@ -910,7 +910,7 @@ describe('migration actions', () => { targetIndex: 'reindex_target', reindexScript: Option.none, requireAlias: false, - unusedTypesQuery: { + excludeOnUpgradeQuery: { match_all: {}, }, })()) as Either.Right; @@ -933,7 +933,7 @@ describe('migration actions', () => { targetIndex: 'existing_index_with_write_block', reindexScript: Option.none, requireAlias: false, - unusedTypesQuery: { match_all: {} }, + excludeOnUpgradeQuery: { match_all: {} }, })()) as Either.Right; const task = waitForReindexTask({ client, taskId: res.right.taskId, timeout: '10s' }); @@ -955,7 +955,7 @@ describe('migration actions', () => { targetIndex: 'existing_index_with_write_block', reindexScript: Option.none, requireAlias: true, - unusedTypesQuery: { match_all: {} }, + excludeOnUpgradeQuery: { match_all: {} }, })()) as Either.Right; const task = waitForReindexTask({ client, taskId: res.right.taskId, timeout: '10s' }); @@ -983,7 +983,7 @@ describe('migration actions', () => { targetIndex: 'reindex_target', reindexScript: Option.none, requireAlias: false, - unusedTypesQuery: { match_all: {} }, + excludeOnUpgradeQuery: { match_all: {} }, })()) as Either.Right; const task = waitForReindexTask({ client, taskId: res.right.taskId, timeout: '0s' }); @@ -1010,7 +1010,7 @@ describe('migration actions', () => { targetIndex: 'reindex_target_7', reindexScript: Option.none, requireAlias: false, - unusedTypesQuery: { match_all: {} }, + excludeOnUpgradeQuery: { match_all: {} }, })()) as Either.Right; await waitForReindexTask({ client, taskId: res.right.taskId, timeout: '10s' })(); diff --git a/src/core/server/saved_objects/migrations/actions/reindex.test.ts b/src/core/server/saved_objects/migrations/actions/reindex.test.ts index f53368bd9321b..3352e4eebadca 100644 --- a/src/core/server/saved_objects/migrations/actions/reindex.test.ts +++ b/src/core/server/saved_objects/migrations/actions/reindex.test.ts @@ -36,7 +36,7 @@ describe('reindex', () => { targetIndex: 'my_target_index', reindexScript: Option.none, requireAlias: false, - unusedTypesQuery: {}, + excludeOnUpgradeQuery: {}, }); try { await task(); diff --git a/src/core/server/saved_objects/migrations/actions/reindex.ts b/src/core/server/saved_objects/migrations/actions/reindex.ts index cfd7449971b7f..46f20928e1bef 100644 --- a/src/core/server/saved_objects/migrations/actions/reindex.ts +++ b/src/core/server/saved_objects/migrations/actions/reindex.ts @@ -9,11 +9,11 @@ import * as Either from 'fp-ts/lib/Either'; import * as TaskEither from 'fp-ts/lib/TaskEither'; import * as Option from 'fp-ts/lib/Option'; -import * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; -import { ElasticsearchClient } from '../../../elasticsearch'; +import type { QueryDslQueryContainer } from '@elastic/elasticsearch/lib/api/types'; +import type { ElasticsearchClient } from '../../../elasticsearch'; import { catchRetryableEsClientErrors, - RetryableEsClientError, + type RetryableEsClientError, } from './catch_retryable_es_client_errors'; import { BATCH_SIZE } from './constants'; @@ -33,7 +33,7 @@ export interface ReindexParams { * are no longer used. These saved objects will still be kept in the outdated * index for backup purposes, but won't be available in the upgraded index. */ - unusedTypesQuery: estypes.QueryDslQueryContainer; + excludeOnUpgradeQuery: QueryDslQueryContainer; } /** @@ -51,7 +51,7 @@ export const reindex = targetIndex, reindexScript, requireAlias, - unusedTypesQuery, + excludeOnUpgradeQuery, }: ReindexParams): TaskEither.TaskEither => () => { return client @@ -67,7 +67,7 @@ export const reindex = // Set reindex batch size size: BATCH_SIZE, // Exclude saved object types - query: unusedTypesQuery, + query: excludeOnUpgradeQuery, }, dest: { index: targetIndex, diff --git a/src/core/server/saved_objects/migrations/core/unused_types.ts b/src/core/server/saved_objects/migrations/core/unused_types.ts index 076bdb489cf49..d80dcb23b7189 100644 --- a/src/core/server/saved_objects/migrations/core/unused_types.ts +++ b/src/core/server/saved_objects/migrations/core/unused_types.ts @@ -6,7 +6,7 @@ * Side Public License, v 1. */ -import * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; +import type { QueryDslQueryContainer } from '@elastic/elasticsearch/lib/api/types'; /** * Types that are no longer registered and need to be removed @@ -41,7 +41,7 @@ export const REMOVED_TYPES: string[] = [ // saved objects which are no longer used. These saved objects will still be // kept in the outdated index for backup purposes, but won't be available in // the upgraded index. -export const excludeUnusedTypesQuery: estypes.QueryDslQueryContainer = { +export const excludeUnusedTypesQuery: QueryDslQueryContainer = { bool: { must_not: [ ...REMOVED_TYPES.map((typeName) => ({ diff --git a/src/core/server/saved_objects/migrations/initial_state.test.ts b/src/core/server/saved_objects/migrations/initial_state.test.ts index c2a2736541208..cfa9c9f3a2435 100644 --- a/src/core/server/saved_objects/migrations/initial_state.test.ts +++ b/src/core/server/saved_objects/migrations/initial_state.test.ts @@ -8,12 +8,14 @@ import { ByteSizeValue } from '@kbn/config-schema'; import * as Option from 'fp-ts/Option'; -import { DocLinksServiceSetup } from '../../doc_links'; -import { docLinksServiceMock } from '../../mocks'; -import { SavedObjectsMigrationConfigType } from '../saved_objects_config'; +import type { DocLinksServiceSetup } from '../../doc_links'; +import { docLinksServiceMock, loggingSystemMock } from '../../mocks'; +import type { SavedObjectsMigrationConfigType } from '../saved_objects_config'; import { SavedObjectTypeRegistry } from '../saved_objects_type_registry'; import { createInitialState } from './initial_state'; +const mockLogger = loggingSystemMock.create(); + describe('createInitialState', () => { let typeRegistry: SavedObjectTypeRegistry; let docLinks: DocLinksServiceSetup; @@ -41,62 +43,16 @@ describe('createInitialState', () => { migrationsConfig, typeRegistry, docLinks, + logger: mockLogger.get(), }) ).toMatchInlineSnapshot(` Object { "batchSize": 1000, "controlState": "INIT", "currentAlias": ".kibana_task_manager", + "discardUnknownObjects": false, "excludeFromUpgradeFilterHooks": Object {}, - "indexPrefix": ".kibana_task_manager", - "kibanaVersion": "8.1.0", - "knownTypes": Array [], - "legacyIndex": ".kibana_task_manager", - "logs": Array [], - "maxBatchSizeBytes": 104857600, - "migrationDocLinks": Object { - "clusterShardLimitExceeded": "https://www.elastic.co/guide/en/kibana/test-branch/resolve-migrations-failures.html#cluster-shard-limit-exceeded", - "repeatedTimeoutRequests": "https://www.elastic.co/guide/en/kibana/test-branch/resolve-migrations-failures.html#_repeated_time_out_requests_that_eventually_fail", - "resolveMigrationFailures": "https://www.elastic.co/guide/en/kibana/test-branch/resolve-migrations-failures.html", - "routingAllocationDisabled": "https://www.elastic.co/guide/en/kibana/test-branch/resolve-migrations-failures.html#routing-allocation-disabled", - }, - "outdatedDocumentsQuery": Object { - "bool": Object { - "should": Array [], - }, - }, - "preMigrationScript": Object { - "_tag": "None", - }, - "retryAttempts": 15, - "retryCount": 0, - "retryDelay": 0, - "targetIndexMappings": Object { - "dynamic": "strict", - "properties": Object { - "my_type": Object { - "properties": Object { - "title": Object { - "type": "text", - }, - }, - }, - }, - }, - "tempIndex": ".kibana_task_manager_8.1.0_reindex_temp", - "tempIndexMappings": Object { - "dynamic": false, - "properties": Object { - "migrationVersion": Object { - "dynamic": "true", - "type": "object", - }, - "type": Object { - "type": "keyword", - }, - }, - }, - "unusedTypesQuery": Object { + "excludeOnUpgradeQuery": Object { "bool": Object { "must_not": Array [ Object { @@ -193,6 +149,54 @@ describe('createInitialState', () => { ], }, }, + "indexPrefix": ".kibana_task_manager", + "kibanaVersion": "8.1.0", + "knownTypes": Array [], + "legacyIndex": ".kibana_task_manager", + "logs": Array [], + "maxBatchSizeBytes": 104857600, + "migrationDocLinks": Object { + "clusterShardLimitExceeded": "https://www.elastic.co/guide/en/kibana/test-branch/resolve-migrations-failures.html#cluster-shard-limit-exceeded", + "repeatedTimeoutRequests": "https://www.elastic.co/guide/en/kibana/test-branch/resolve-migrations-failures.html#_repeated_time_out_requests_that_eventually_fail", + "resolveMigrationFailures": "https://www.elastic.co/guide/en/kibana/test-branch/resolve-migrations-failures.html", + "routingAllocationDisabled": "https://www.elastic.co/guide/en/kibana/test-branch/resolve-migrations-failures.html#routing-allocation-disabled", + }, + "outdatedDocumentsQuery": Object { + "bool": Object { + "should": Array [], + }, + }, + "preMigrationScript": Object { + "_tag": "None", + }, + "retryAttempts": 15, + "retryCount": 0, + "retryDelay": 0, + "targetIndexMappings": Object { + "dynamic": "strict", + "properties": Object { + "my_type": Object { + "properties": Object { + "title": Object { + "type": "text", + }, + }, + }, + }, + }, + "tempIndex": ".kibana_task_manager_8.1.0_reindex_temp", + "tempIndexMappings": Object { + "dynamic": false, + "properties": Object { + "migrationVersion": Object { + "dynamic": "true", + "type": "object", + }, + "type": Object { + "type": "keyword", + }, + }, + }, "versionAlias": ".kibana_task_manager_8.1.0", "versionIndex": ".kibana_task_manager_8.1.0_001", } @@ -224,6 +228,7 @@ describe('createInitialState', () => { migrationsConfig, typeRegistry, docLinks, + logger: mockLogger.get(), }); expect(initialState.knownTypes).toEqual(['foo', 'bar']); @@ -250,6 +255,7 @@ describe('createInitialState', () => { migrationsConfig, typeRegistry, docLinks, + logger: mockLogger.get(), }); expect(initialState.excludeFromUpgradeFilterHooks).toEqual({ foo: fooExcludeOnUpgradeHook }); @@ -269,6 +275,7 @@ describe('createInitialState', () => { migrationsConfig, typeRegistry, docLinks, + logger: mockLogger.get(), }); expect(Option.isSome(initialState.preMigrationScript)).toEqual(true); @@ -291,6 +298,7 @@ describe('createInitialState', () => { migrationsConfig, typeRegistry, docLinks, + logger: mockLogger.get(), }).preMigrationScript ) ).toEqual(true); @@ -309,6 +317,7 @@ describe('createInitialState', () => { migrationsConfig, typeRegistry, docLinks, + logger: mockLogger.get(), }).outdatedDocumentsQuery ).toMatchInlineSnapshot(` Object { @@ -347,4 +356,71 @@ describe('createInitialState', () => { } `); }); + + it('initializes the `discardUnknownObjects` flag to false if the flag is not provided in the config', () => { + const logger = mockLogger.get(); + const initialState = createInitialState({ + kibanaVersion: '8.1.0', + targetMappings: { + dynamic: 'strict', + properties: { my_type: { properties: { title: { type: 'text' } } } }, + }, + migrationVersionPerType: {}, + indexPrefix: '.kibana_task_manager', + migrationsConfig, + typeRegistry, + docLinks, + logger, + }); + + expect(logger.warn).not.toBeCalled(); + expect(initialState.discardUnknownObjects).toEqual(false); + }); + + it('initializes the `discardUnknownObjects` flag to false if the value provided in the config does not match the current kibana version', () => { + const logger = mockLogger.get(); + const initialState = createInitialState({ + kibanaVersion: '8.1.0', + targetMappings: { + dynamic: 'strict', + properties: { my_type: { properties: { title: { type: 'text' } } } }, + }, + migrationVersionPerType: {}, + indexPrefix: '.kibana_task_manager', + migrationsConfig: { + ...migrationsConfig, + discardUnknownObjects: '8.0.0', + }, + typeRegistry, + docLinks, + logger, + }); + + expect(initialState.discardUnknownObjects).toEqual(false); + expect(logger.warn).toBeCalledTimes(1); + expect(logger.warn).toBeCalledWith( + 'The flag `migrations.discardUnknownObjects` is defined but does not match the current kibana version; unknown objects will NOT be ignored.' + ); + }); + + it('initializes the `discardUnknownObjects` flag to true if the value provided in the config matches the current kibana version', () => { + const initialState = createInitialState({ + kibanaVersion: '8.1.0', + targetMappings: { + dynamic: 'strict', + properties: { my_type: { properties: { title: { type: 'text' } } } }, + }, + migrationVersionPerType: {}, + indexPrefix: '.kibana_task_manager', + migrationsConfig: { + ...migrationsConfig, + discardUnknownObjects: '8.1.0', + }, + typeRegistry, + docLinks, + logger: mockLogger.get(), + }); + + expect(initialState.discardUnknownObjects).toEqual(true); + }); }); diff --git a/src/core/server/saved_objects/migrations/initial_state.ts b/src/core/server/saved_objects/migrations/initial_state.ts index ae0fe54049505..f576a5a93429a 100644 --- a/src/core/server/saved_objects/migrations/initial_state.ts +++ b/src/core/server/saved_objects/migrations/initial_state.ts @@ -7,13 +7,14 @@ */ import * as Option from 'fp-ts/Option'; -import { IndexMapping } from '../mappings'; -import { SavedObjectsMigrationVersion } from '../../../types'; -import { SavedObjectsMigrationConfigType } from '../saved_objects_config'; +import type { Logger } from '@kbn/logging'; +import type { IndexMapping } from '../mappings'; +import type { SavedObjectsMigrationVersion } from '../../../types'; +import type { SavedObjectsMigrationConfigType } from '../saved_objects_config'; import type { ISavedObjectTypeRegistry } from '../saved_objects_type_registry'; -import { InitState } from './state'; +import type { InitState } from './state'; import { excludeUnusedTypesQuery } from './core'; -import { DocLinksServiceStart } from '../../doc_links'; +import type { DocLinksServiceStart } from '../../doc_links'; /** * Construct the initial state for the model @@ -27,6 +28,7 @@ export const createInitialState = ({ migrationsConfig, typeRegistry, docLinks, + logger, }: { kibanaVersion: string; targetMappings: IndexMapping; @@ -36,6 +38,7 @@ export const createInitialState = ({ migrationsConfig: SavedObjectsMigrationConfigType; typeRegistry: ISavedObjectTypeRegistry; docLinks: DocLinksServiceStart; + logger: Logger; }): InitState => { const outdatedDocumentsQuery = { bool: { @@ -70,6 +73,15 @@ export const createInitialState = ({ // short key to access savedObjects entries directly from docLinks const migrationDocLinks = docLinks.links.kibanaUpgradeSavedObjects; + if ( + migrationsConfig.discardUnknownObjects && + migrationsConfig.discardUnknownObjects !== kibanaVersion + ) { + logger.warn( + 'The flag `migrations.discardUnknownObjects` is defined but does not match the current kibana version; unknown objects will NOT be ignored.' + ); + } + return { controlState: 'INIT', indexPrefix, @@ -88,8 +100,9 @@ export const createInitialState = ({ retryAttempts: migrationsConfig.retryAttempts, batchSize: migrationsConfig.batchSize, maxBatchSizeBytes: migrationsConfig.maxBatchSizeBytes.getValueInBytes(), + discardUnknownObjects: migrationsConfig.discardUnknownObjects === kibanaVersion, logs: [], - unusedTypesQuery: excludeUnusedTypesQuery, + excludeOnUpgradeQuery: excludeUnusedTypesQuery, knownTypes, excludeFromUpgradeFilterHooks: excludeFilterHooks, migrationDocLinks, diff --git a/src/core/server/saved_objects/migrations/integration_tests/7.7.2_xpack_100k.test.ts b/src/core/server/saved_objects/migrations/integration_tests/7.7.2_xpack_100k.test.ts index 1b96baf210531..6ab41cb5a991c 100644 --- a/src/core/server/saved_objects/migrations/integration_tests/7.7.2_xpack_100k.test.ts +++ b/src/core/server/saved_objects/migrations/integration_tests/7.7.2_xpack_100k.test.ts @@ -10,7 +10,7 @@ import path from 'path'; import { unlink } from 'fs/promises'; import { REPO_ROOT } from '@kbn/utils'; import { Env } from '@kbn/config'; -import { getEnvOptions } from '../../../config/mocks'; +import { getEnvOptions } from '@kbn/config-mocks'; import * as kbnTestServer from '../../../../test_helpers/kbn_server'; import { ElasticsearchClient } from '../../../elasticsearch'; import { InternalCoreStart } from '../../../internal_types'; diff --git a/src/core/server/saved_objects/migrations/integration_tests/7_13_0_unknown_types.test.ts b/src/core/server/saved_objects/migrations/integration_tests/7_13_0_unknown_types.test.ts index dc521baad6335..6ccb6497516f9 100644 --- a/src/core/server/saved_objects/migrations/integration_tests/7_13_0_unknown_types.test.ts +++ b/src/core/server/saved_objects/migrations/integration_tests/7_13_0_unknown_types.test.ts @@ -8,9 +8,13 @@ import Path from 'path'; import fs from 'fs/promises'; -import * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; +import type { IndicesIndexSettings } from '@elastic/elasticsearch/lib/api/types'; +import { Env } from '@kbn/config'; +import { REPO_ROOT } from '@kbn/utils'; +import { getEnvOptions } from '@kbn/config-mocks'; import * as kbnTestServer from '../../../../test_helpers/kbn_server'; -import { Root } from '../../../root'; +import type { Root } from '../../../root'; +import type { ElasticsearchClient } from '../../../elasticsearch'; const logFilePath = Path.join(__dirname, '7_13_unknown_types.log'); @@ -54,62 +58,83 @@ describe('migration v2', () => { await new Promise((resolve) => setTimeout(resolve, 10000)); }); - it('fails the migration if unknown types are found in the source index', async () => { - // Start kibana with foo and space types disabled - root = createRoot(); - esServer = await startES(); - await root.preboot(); - await root.setup(); - - try { - await root.start(); - expect('should have thrown').toEqual('but it did not'); - } catch (err) { - const errorMessage = err.message; - - expect( - errorMessage.startsWith( - 'Unable to complete saved object migrations for the [.kibana] index: Migration failed because documents ' + - 'were found for unknown saved object types. To proceed with the migration, please delete these documents from the ' + - '".kibana_7.13.0_001" index.' - ) - ).toBeTruthy(); - - const unknownDocs = [ - { type: 'space', id: 'space:default' }, - { type: 'space', id: 'space:first' }, - { type: 'space', id: 'space:second' }, - { type: 'space', id: 'space:third' }, - { type: 'space', id: 'space:forth' }, - { type: 'space', id: 'space:fifth' }, - { type: 'space', id: 'space:sixth' }, - { type: 'foo', id: 'P2SQfHkBs3dBRGh--No5' }, - { type: 'foo', id: 'QGSZfHkBs3dBRGh-ANoD' }, - { type: 'foo', id: 'QWSZfHkBs3dBRGh-hNob' }, - ]; - - unknownDocs.forEach(({ id, type }) => { - expect(errorMessage).toEqual(expect.stringContaining(`- "${id}" (type: "${type}")`)); - }); - - const client = esServer.es.getClient(); - const { body: response } = await client.indices.getSettings( - { index: '.kibana_7.13.0_001' }, - { meta: true } - ); - const settings = response['.kibana_7.13.0_001'].settings as estypes.IndicesIndexSettings; - expect(settings.index).not.toBeUndefined(); - expect(settings.index!.blocks?.write).not.toEqual('true'); - } + describe('when `discardUnknownObjects` does not match current kibana version', () => { + it('fails the migration if unknown types are found in the source index', async () => { + // Start kibana with foo and space types disabled + root = createRoot('7.13.0'); + esServer = await startES(); + await root.preboot(); + await root.setup(); + + try { + await root.start(); + expect('should have thrown').toEqual('but it did not'); + } catch (err) { + const errorMessage = err.message; + + expect( + errorMessage.startsWith( + 'Unable to complete saved object migrations for the [.kibana] index: Migration failed because some documents ' + + 'were found which use unknown saved object types:' + ) + ).toBeTruthy(); + + const unknownDocs = [ + { type: 'space', id: 'space:default' }, + { type: 'space', id: 'space:first' }, + { type: 'space', id: 'space:second' }, + { type: 'space', id: 'space:third' }, + { type: 'space', id: 'space:forth' }, + { type: 'space', id: 'space:fifth' }, + { type: 'space', id: 'space:sixth' }, + { type: 'foo', id: 'P2SQfHkBs3dBRGh--No5' }, + { type: 'foo', id: 'QGSZfHkBs3dBRGh-ANoD' }, + { type: 'foo', id: 'QWSZfHkBs3dBRGh-hNob' }, + ]; + + unknownDocs.forEach(({ id, type }) => { + expect(errorMessage).toEqual(expect.stringContaining(`- "${id}" (type: "${type}")`)); + }); + + const client = esServer.es.getClient(); + const { body: response } = await client.indices.getSettings( + { index: '.kibana_7.13.0_001' }, + { meta: true } + ); + const settings = response['.kibana_7.13.0_001'].settings as IndicesIndexSettings; + expect(settings.index).not.toBeUndefined(); + expect(settings.index!.blocks?.write).not.toEqual('true'); + } + }); + }); + + describe('when `discardUnknownObjects` matches current kibana version', () => { + const currentVersion = Env.createDefault(REPO_ROOT, getEnvOptions()).packageInfo.version; + + it('discards the documents with unknown types and finishes the migration successfully', async () => { + // Start kibana with foo and space types disabled + root = createRoot(currentVersion); + esServer = await startES(); + await root.preboot(); + await root.setup(); + + // the migration process should finish successfully + await expect(root.start()).resolves.not.toThrowError(); + + const esClient: ElasticsearchClient = esServer.es.getClient(); + const body = await esClient.count({ q: 'type:foo|space' }); + expect(body.count).toEqual(0); + }); }); }); -function createRoot() { +function createRoot(discardUnknownObjects?: string) { return kbnTestServer.createRootWithCorePlugins( { migrations: { skip: false, batchSize: 5, + discardUnknownObjects, }, logging: { appenders: { diff --git a/src/core/server/saved_objects/migrations/integration_tests/batch_size_bytes.test.ts b/src/core/server/saved_objects/migrations/integration_tests/batch_size_bytes.test.ts index e9915b9fc9759..b6e10e6b3034b 100644 --- a/src/core/server/saved_objects/migrations/integration_tests/batch_size_bytes.test.ts +++ b/src/core/server/saved_objects/migrations/integration_tests/batch_size_bytes.test.ts @@ -14,7 +14,7 @@ import { Root } from '../../../root'; import { ElasticsearchClient } from '../../../elasticsearch'; import { Env } from '@kbn/config'; import { REPO_ROOT } from '@kbn/utils'; -import { getEnvOptions } from '../../../config/mocks'; +import { getEnvOptions } from '@kbn/config-mocks'; import { LogRecord } from '@kbn/logging'; import { retryAsync } from '../test_helpers/retry_async'; diff --git a/src/core/server/saved_objects/migrations/integration_tests/incompatible_cluster_routing_allocation.test.ts b/src/core/server/saved_objects/migrations/integration_tests/incompatible_cluster_routing_allocation.test.ts index c7972ae421ab0..8a075aa08bbe2 100644 --- a/src/core/server/saved_objects/migrations/integration_tests/incompatible_cluster_routing_allocation.test.ts +++ b/src/core/server/saved_objects/migrations/integration_tests/incompatible_cluster_routing_allocation.test.ts @@ -12,7 +12,7 @@ import JSON5 from 'json5'; import { REPO_ROOT } from '@kbn/utils'; import { Env } from '@kbn/config'; import { getDocLinksMeta } from '@kbn/doc-links'; -import { getEnvOptions } from '../../../config/mocks'; +import { getEnvOptions } from '@kbn/config-mocks'; import * as kbnTestServer from '../../../../test_helpers/kbn_server'; import { Root } from '../../../root'; import { ElasticsearchClient } from '../../../elasticsearch'; diff --git a/src/core/server/saved_objects/migrations/integration_tests/migration_from_older_v1.test.ts b/src/core/server/saved_objects/migrations/integration_tests/migration_from_older_v1.test.ts index e0c8aa340bd2a..69c9cc38fc79d 100644 --- a/src/core/server/saved_objects/migrations/integration_tests/migration_from_older_v1.test.ts +++ b/src/core/server/saved_objects/migrations/integration_tests/migration_from_older_v1.test.ts @@ -12,7 +12,7 @@ import Util from 'util'; import Semver from 'semver'; import { REPO_ROOT } from '@kbn/utils'; import { Env } from '@kbn/config'; -import { getEnvOptions } from '../../../config/mocks'; +import { getEnvOptions } from '@kbn/config-mocks'; import * as kbnTestServer from '../../../../test_helpers/kbn_server'; import { ElasticsearchClient } from '../../../elasticsearch'; import { SavedObjectsRawDoc } from '../../serialization'; diff --git a/src/core/server/saved_objects/migrations/integration_tests/migration_from_same_v1.test.ts b/src/core/server/saved_objects/migrations/integration_tests/migration_from_same_v1.test.ts index eb54683e3a457..5c723b89c23d1 100644 --- a/src/core/server/saved_objects/migrations/integration_tests/migration_from_same_v1.test.ts +++ b/src/core/server/saved_objects/migrations/integration_tests/migration_from_same_v1.test.ts @@ -12,7 +12,7 @@ import Util from 'util'; import Semver from 'semver'; import { REPO_ROOT } from '@kbn/utils'; import { Env } from '@kbn/config'; -import { getEnvOptions } from '../../../config/mocks'; +import { getEnvOptions } from '@kbn/config-mocks'; import * as kbnTestServer from '../../../../test_helpers/kbn_server'; import { ElasticsearchClient } from '../../../elasticsearch'; import { SavedObjectsRawDoc } from '../../serialization'; diff --git a/src/core/server/saved_objects/migrations/integration_tests/type_registrations.test.ts b/src/core/server/saved_objects/migrations/integration_tests/type_registrations.test.ts index 79a76d0a9f4fc..c50d29ba521e7 100644 --- a/src/core/server/saved_objects/migrations/integration_tests/type_registrations.test.ts +++ b/src/core/server/saved_objects/migrations/integration_tests/type_registrations.test.ts @@ -114,7 +114,7 @@ const previouslyRegisteredTypes = [ ].sort(); describe('SO type registrations', () => { - it('does not remove types from registrations without updating unusedTypesQuery', async () => { + it('does not remove types from registrations without updating excludeOnUpgradeQuery', async () => { const root = kbnTestServer.createRoot({}, { oss: false }); await root.preboot(); const setup = await root.setup(); diff --git a/src/core/server/saved_objects/migrations/kibana_migrator.ts b/src/core/server/saved_objects/migrations/kibana_migrator.ts index 54feeccb9573f..90413d70c99bb 100644 --- a/src/core/server/saved_objects/migrations/kibana_migrator.ts +++ b/src/core/server/saved_objects/migrations/kibana_migrator.ts @@ -118,9 +118,7 @@ export class KibanaMigrator { * The promise resolves with an array of migration statuses, one for each * elasticsearch index which was migrated. */ - public runMigrations({ rerun = false }: { rerun?: boolean } = {}): Promise< - Array<{ status: string }> - > { + public runMigrations({ rerun = false }: { rerun?: boolean } = {}): Promise { if (this.migrationResult === undefined || rerun) { // Reruns are only used by CI / EsArchiver. Publishing status updates on reruns results in slowing down CI // unnecessarily, so we skip it in this case. @@ -147,7 +145,7 @@ export class KibanaMigrator { return this.status$.asObservable(); } - private runMigrationsInternal() { + private runMigrationsInternal(): Promise { const indexMap = createIndexMap({ kibanaIndexName: this.kibanaIndex, indexMap: this.mappingProperties, diff --git a/src/core/server/saved_objects/migrations/migrations_state_action_machine.test.ts b/src/core/server/saved_objects/migrations/migrations_state_action_machine.test.ts index 93e6476f8e78c..f99f336a9ac74 100644 --- a/src/core/server/saved_objects/migrations/migrations_state_action_machine.test.ts +++ b/src/core/server/saved_objects/migrations/migrations_state_action_machine.test.ts @@ -50,6 +50,7 @@ describe('migrationsStateActionMachine', () => { }, typeRegistry, docLinks, + logger: mockLogger.get(), }); const next = jest.fn((s: State) => { diff --git a/src/core/server/saved_objects/migrations/model/extract_errors.test.ts b/src/core/server/saved_objects/migrations/model/extract_errors.test.ts index ea6b312c2053d..036ead853cf55 100644 --- a/src/core/server/saved_objects/migrations/model/extract_errors.test.ts +++ b/src/core/server/saved_objects/migrations/model/extract_errors.test.ts @@ -8,35 +8,53 @@ import { extractUnknownDocFailureReason, + extractDiscardedUnknownDocs, fatalReasonDocumentExceedsMaxBatchSizeBytes, } from './extract_errors'; describe('extractUnknownDocFailureReason', () => { it('generates the correct error message', () => { expect( - extractUnknownDocFailureReason( - [ - { - id: 'unknownType:12', - type: 'unknownType', - }, - { - id: 'anotherUnknownType:42', - type: 'anotherUnknownType', - }, - ], - '.kibana_15' - ) + extractUnknownDocFailureReason('some-url.co', [ + { + id: 'unknownType:12', + type: 'unknownType', + }, + { + id: 'anotherUnknownType:42', + type: 'anotherUnknownType', + }, + ]) ).toMatchInlineSnapshot(` - "Migration failed because documents were found for unknown saved object types. To proceed with the migration, please delete these documents from the \\".kibana_15\\" index. - The documents with unknown types are: + "Migration failed because some documents were found which use unknown saved object types: - \\"unknownType:12\\" (type: \\"unknownType\\") - \\"anotherUnknownType:42\\" (type: \\"anotherUnknownType\\") - You can delete them using the following command: - curl -X POST \\"{elasticsearch}/.kibana_15/_bulk?pretty\\" -H 'Content-Type: application/json' -d' - { \\"delete\\" : { \\"_id\\" : \\"unknownType:12\\" } } - { \\"delete\\" : { \\"_id\\" : \\"anotherUnknownType:42\\" } } - '" + + To proceed with the migration you can configure Kibana to discard unknown saved objects for this migration. + Please refer to some-url.co for more information." + `); + }); +}); + +describe('extractDiscardedUnknownDocs', () => { + it('generates the correct error message', () => { + expect( + extractDiscardedUnknownDocs([ + { + id: 'unknownType:12', + type: 'unknownType', + }, + { + id: 'anotherUnknownType:42', + type: 'anotherUnknownType', + }, + ]) + ).toMatchInlineSnapshot(` + "Kibana has been configured to discard unknown documents for this migration. + Therefore, the following documents with unknown types will not be taken into account and they will not be available after the migration: + - \\"unknownType:12\\" (type: \\"unknownType\\") + - \\"anotherUnknownType:42\\" (type: \\"anotherUnknownType\\") + " `); }); }); diff --git a/src/core/server/saved_objects/migrations/model/extract_errors.ts b/src/core/server/saved_objects/migrations/model/extract_errors.ts index c529e1b1da269..1d4d697b74774 100644 --- a/src/core/server/saved_objects/migrations/model/extract_errors.ts +++ b/src/core/server/saved_objects/migrations/model/extract_errors.ts @@ -6,8 +6,8 @@ * Side Public License, v 1. */ -import { TransformErrorObjects } from '../core'; -import { CheckForUnknownDocsFoundDoc } from '../actions'; +import type { TransformErrorObjects } from '../core'; +import type { DocumentIdAndType } from '../actions'; /** * Constructs migration failure message strings from corrupt document ids and document transformation errors @@ -36,19 +36,23 @@ export function extractTransformFailuresReason( ); } +export function extractDiscardedUnknownDocs(unknownDocs: DocumentIdAndType[]): string { + return ( + `Kibana has been configured to discard unknown documents for this migration.\n` + + `Therefore, the following documents with unknown types will not be taken into account and they will not be available after the migration:\n` + + unknownDocs.map((doc) => `- "${doc.id}" (type: "${doc.type}")\n`).join('') + ); +} + export function extractUnknownDocFailureReason( - unknownDocs: CheckForUnknownDocsFoundDoc[], - sourceIndex: string + resolveMigrationFailuresUrl: string, + unknownDocs: DocumentIdAndType[] ): string { return ( - `Migration failed because documents were found for unknown saved object types. ` + - `To proceed with the migration, please delete these documents from the "${sourceIndex}" index.\n` + - `The documents with unknown types are:\n` + + `Migration failed because some documents were found which use unknown saved object types:\n` + unknownDocs.map((doc) => `- "${doc.id}" (type: "${doc.type}")\n`).join('') + - `You can delete them using the following command:\n` + - `curl -X POST "{elasticsearch}/${sourceIndex}/_bulk?pretty" -H 'Content-Type: application/json' -d'\n` + - unknownDocs.map((doc) => `{ "delete" : { "_id" : "${doc.id}" } }\n`).join('') + - `'` + `\nTo proceed with the migration you can configure Kibana to discard unknown saved objects for this migration.\n` + + `Please refer to ${resolveMigrationFailuresUrl} for more information.` ); } diff --git a/src/core/server/saved_objects/migrations/model/helpers.test.ts b/src/core/server/saved_objects/migrations/model/helpers.test.ts new file mode 100644 index 0000000000000..0e2056eacac66 --- /dev/null +++ b/src/core/server/saved_objects/migrations/model/helpers.test.ts @@ -0,0 +1,176 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { + addExcludedTypesToBoolQuery, + addMustClausesToBoolQuery, + addMustNotClausesToBoolQuery, +} from './helpers'; + +describe('addExcludedTypesToBoolQuery', () => { + it('generates a bool query which filters out the specified types', () => { + const boolQuery = { must_not: [] }; + const types = ['type1', 'type2']; + const result = addExcludedTypesToBoolQuery(types, boolQuery); + expect(result).toEqual({ + bool: { + must_not: [{ term: { type: 'type1' } }, { term: { type: 'type2' } }], + }, + }); + }); +}); + +describe('addMustClausesToBoolQuery', () => { + it('generates a new bool query when no query is provided', () => { + const boolQuery = undefined; + const types = [{ term: { type: 'type1' } }, { term: { type: 'type2' } }]; + const result = addMustClausesToBoolQuery(types, boolQuery); + expect(result).toEqual({ + bool: { + must: [{ term: { type: 'type1' } }, { term: { type: 'type2' } }], + }, + }); + }); + + it('adds a new must clause to the provided bool query, if it did exist', () => { + const boolQuery = { + should: [ + { match: { 'name.first': { query: 'shay', _name: 'first' } } }, + { match: { 'name.last': { query: 'banon', _name: 'last' } } }, + ], + }; + const types = [{ term: { type: 'type1' } }, { term: { type: 'type2' } }]; + const result = addMustClausesToBoolQuery(types, boolQuery); + expect(result).toEqual({ + bool: { + should: [ + { match: { 'name.first': { query: 'shay', _name: 'first' } } }, + { match: { 'name.last': { query: 'banon', _name: 'last' } } }, + ], + must: [{ term: { type: 'type1' } }, { term: { type: 'type2' } }], + }, + }); + }); + + it('appends the given clauses to the existing must', () => { + const boolQuery = { + must: [ + { match: { type: 'search-session' } }, + { match: { 'search-session.persisted': false } }, + ], + }; + + const types = [{ term: { type: 'type1' } }, { term: { type: 'type2' } }]; + const result = addMustClausesToBoolQuery(types, boolQuery); + expect(result).toEqual({ + bool: { + must: [ + { match: { type: 'search-session' } }, + { match: { 'search-session.persisted': false } }, + { term: { type: 'type1' } }, + { term: { type: 'type2' } }, + ], + }, + }); + }); + + it('arrayifys the existing must clause if needed', () => { + const boolQuery = { + must: { + term: { type: 'type0' }, + }, + }; + + const types = [{ term: { type: 'type1' } }, { term: { type: 'type2' } }]; + const result = addMustClausesToBoolQuery(types, boolQuery); + expect(result).toEqual({ + bool: { + must: [ + { term: { type: 'type0' } }, + { term: { type: 'type1' } }, + { term: { type: 'type2' } }, + ], + }, + }); + }); +}); + +describe('addMustNotClausesToBoolQuery', () => { + it('generates a new bool query when no query is provided', () => { + const boolQuery = undefined; + const types = [{ term: { type: 'type1' } }, { term: { type: 'type2' } }]; + const result = addMustNotClausesToBoolQuery(types, boolQuery); + expect(result).toEqual({ + bool: { + must_not: [{ term: { type: 'type1' } }, { term: { type: 'type2' } }], + }, + }); + }); + + it('adds a new must_not clause to the provided bool query, if it did not exist', () => { + const boolQuery = { + should: [ + { match: { 'name.first': { query: 'shay', _name: 'first' } } }, + { match: { 'name.last': { query: 'banon', _name: 'last' } } }, + ], + }; + const types = [{ term: { type: 'type1' } }, { term: { type: 'type2' } }]; + const result = addMustNotClausesToBoolQuery(types, boolQuery); + expect(result).toEqual({ + bool: { + should: [ + { match: { 'name.first': { query: 'shay', _name: 'first' } } }, + { match: { 'name.last': { query: 'banon', _name: 'last' } } }, + ], + must_not: [{ term: { type: 'type1' } }, { term: { type: 'type2' } }], + }, + }); + }); + + it('appends the given clauses to the existing must_not', () => { + const boolQuery = { + must_not: [ + { match: { type: 'search-session' } }, + { match: { 'search-session.persisted': false } }, + ], + }; + + const types = [{ term: { type: 'type1' } }, { term: { type: 'type2' } }]; + const result = addMustNotClausesToBoolQuery(types, boolQuery); + expect(result).toEqual({ + bool: { + must_not: [ + { match: { type: 'search-session' } }, + { match: { 'search-session.persisted': false } }, + { term: { type: 'type1' } }, + { term: { type: 'type2' } }, + ], + }, + }); + }); + + it('arrayifys the existing must_not clause if needed', () => { + const boolQuery = { + must_not: { + term: { type: 'type0' }, + }, + }; + + const types = [{ term: { type: 'type1' } }, { term: { type: 'type2' } }]; + const result = addMustNotClausesToBoolQuery(types, boolQuery); + expect(result).toEqual({ + bool: { + must_not: [ + { term: { type: 'type0' } }, + { term: { type: 'type1' } }, + { term: { type: 'type2' } }, + ], + }, + }); + }); +}); diff --git a/src/core/server/saved_objects/migrations/model/helpers.ts b/src/core/server/saved_objects/migrations/model/helpers.ts index c3a4c85679680..a139089bd3a2d 100644 --- a/src/core/server/saved_objects/migrations/model/helpers.ts +++ b/src/core/server/saved_objects/migrations/model/helpers.ts @@ -7,9 +7,13 @@ */ import { gt, valid } from 'semver'; -import { State } from '../state'; -import { IndexMapping } from '../../mappings'; -import { FetchIndexResponse } from '../actions'; +import type { + QueryDslBoolQuery, + QueryDslQueryContainer, +} from '@elastic/elasticsearch/lib/api/types'; +import type { State } from '../state'; +import type { IndexMapping } from '../../mappings'; +import type { FetchIndexResponse } from '../actions'; /** * A helper function/type for ensuring that all control state's are handled. @@ -68,6 +72,75 @@ export function indexBelongsToLaterVersion(indexName: string, kibanaVersion: str return version != null ? gt(version, kibanaVersion) : false; } +/** + * Add new must_not clauses to the given query + * in order to filter out the specified types + * @param boolQuery the bool query to be enriched + * @param types the types to be filtered out + * @returns a new query container with the enriched query + */ +export function addExcludedTypesToBoolQuery( + types: string[], + boolQuery?: QueryDslBoolQuery +): QueryDslQueryContainer { + return addMustNotClausesToBoolQuery( + types.map((type) => ({ term: { type } })), + boolQuery + ); +} + +/** + * Add the given clauses to the 'must' of the given query + * @param boolQuery the bool query to be enriched + * @param mustClauses the clauses to be added to a 'must' + * @returns a new query container with the enriched query + */ +export function addMustClausesToBoolQuery( + mustClauses: QueryDslQueryContainer[], + boolQuery?: QueryDslBoolQuery +): QueryDslQueryContainer { + let must: QueryDslQueryContainer[] = []; + + if (boolQuery?.must) { + must = must.concat(boolQuery.must); + } + + must.push(...mustClauses); + + return { + bool: { + ...boolQuery, + must, + }, + }; +} + +/** + * Add the given clauses to the 'must_not' of the given query + * @param boolQuery the bool query to be enriched + * @param mustNotClauses the clauses to be added to a 'must_not' + * @returns a new query container with the enriched query + */ +export function addMustNotClausesToBoolQuery( + mustNotClauses: QueryDslQueryContainer[], + boolQuery?: QueryDslBoolQuery +): QueryDslQueryContainer { + let mustNot: QueryDslQueryContainer[] = []; + + if (boolQuery?.must_not) { + mustNot = mustNot.concat(boolQuery.must_not); + } + + mustNot.push(...mustNotClauses); + + return { + bool: { + ...boolQuery, + must_not: mustNot, + }, + }; +} + /** * Extracts the version number from a >= 7.11 index * @param indexName A >= v7.11 index name diff --git a/src/core/server/saved_objects/migrations/model/model.test.ts b/src/core/server/saved_objects/migrations/model/model.test.ts index 1782ece9b4827..5a63e180e7aa9 100644 --- a/src/core/server/saved_objects/migrations/model/model.test.ts +++ b/src/core/server/saved_objects/migrations/model/model.test.ts @@ -59,6 +59,7 @@ describe('migrations v2 model', () => { retryAttempts: 15, batchSize: 1000, maxBatchSizeBytes: 1e8, + discardUnknownObjects: false, indexPrefix: '.kibana', outdatedDocumentsQuery: {}, targetIndexMappings: { @@ -81,7 +82,7 @@ describe('migrations v2 model', () => { versionAlias: '.kibana_7.11.0', versionIndex: '.kibana_7.11.0_001', tempIndex: '.kibana_7.11.0_reindex_temp', - unusedTypesQuery: { + excludeOnUpgradeQuery: { bool: { must_not: [ { @@ -805,7 +806,7 @@ describe('migrations v2 model', () => { }, } as const; - test('CHECK_UNKNOWN_DOCUMENTS -> SET_SOURCE_WRITE_BLOCK if action succeeds', () => { + test('CHECK_UNKNOWN_DOCUMENTS -> SET_SOURCE_WRITE_BLOCK if action succeeds and no unknown docs are found', () => { const checkUnknownDocumentsSourceState: CheckUnknownDocumentsState = { ...baseState, controlState: 'CHECK_UNKNOWN_DOCUMENTS', @@ -853,29 +854,76 @@ describe('migrations v2 model', () => { expect(newState.logs).toEqual([]); }); - test('CHECK_UNKNOWN_DOCUMENTS -> FATAL if action fails and unknown docs were found', () => { - const checkUnknownDocumentsSourceState: CheckUnknownDocumentsState = { - ...baseState, - controlState: 'CHECK_UNKNOWN_DOCUMENTS', - sourceIndex: Option.some('.kibana_3') as Option.Some, - sourceIndexMappings: mappingsWithUnknownType, - }; + describe('when unknown docs are found', () => { + test('CHECK_UNKNOWN_DOCUMENTS -> SET_SOURCE_WRITE_BLOCK if discardUnknownObjects=true', () => { + const checkUnknownDocumentsSourceState: CheckUnknownDocumentsState = { + ...baseState, + discardUnknownObjects: true, + controlState: 'CHECK_UNKNOWN_DOCUMENTS', + sourceIndex: Option.some('.kibana_3') as Option.Some, + sourceIndexMappings: mappingsWithUnknownType, + }; + + const res: ResponseType<'CHECK_UNKNOWN_DOCUMENTS'> = Either.right({ + type: 'unknown_docs_found', + unknownDocs: [ + { id: 'dashboard:12', type: 'dashboard' }, + { id: 'foo:17', type: 'foo' }, + ], + }); + const newState = model(checkUnknownDocumentsSourceState, res); - const res: ResponseType<'CHECK_UNKNOWN_DOCUMENTS'> = Either.left({ - type: 'unknown_docs_found', - unknownDocs: [ - { id: 'dashboard:12', type: 'dashboard' }, - { id: 'foo:17', type: 'foo' }, - ], + expect(newState).toMatchObject({ + controlState: 'SET_SOURCE_WRITE_BLOCK', + sourceIndex: Option.some('.kibana_3'), + targetIndex: '.kibana_7.11.0_001', + }); + + expect(newState.excludeOnUpgradeQuery).toEqual({ + bool: { + must_not: [ + { term: { type: 'unused-fleet-agent-events' } }, + { term: { type: 'dashboard' } }, + { term: { type: 'foo' } }, + ], + must: [{ exists: { field: 'type' } }], + }, + }); + + // we should have a warning in the logs about the ignored types + expect( + newState.logs.find(({ level, message }) => { + return ( + level === 'warning' && message.includes('dashboard') && message.includes('foo') + ); + }) + ).toBeDefined(); }); - const newState = model(checkUnknownDocumentsSourceState, res); - expect(newState.controlState).toEqual('FATAL'); - expect(newState).toMatchObject({ - controlState: 'FATAL', - reason: expect.stringContaining( - 'Migration failed because documents were found for unknown saved object types' - ), + test('CHECK_UNKNOWN_DOCUMENTS -> FATAL if discardUnknownObjects=false', () => { + const checkUnknownDocumentsSourceState: CheckUnknownDocumentsState = { + ...baseState, + controlState: 'CHECK_UNKNOWN_DOCUMENTS', + sourceIndex: Option.some('.kibana_3') as Option.Some, + sourceIndexMappings: mappingsWithUnknownType, + }; + + const res: ResponseType<'CHECK_UNKNOWN_DOCUMENTS'> = Either.right({ + type: 'unknown_docs_found', + unknownDocs: [ + { id: 'dashboard:12', type: 'dashboard' }, + { id: 'foo:17', type: 'foo' }, + ], + }); + const newState = model(checkUnknownDocumentsSourceState, res); + expect(newState.controlState).toEqual('FATAL'); + + expect(newState).toMatchObject({ + controlState: 'FATAL', + reason: expect.stringContaining( + 'Migration failed because some documents were found which use unknown saved object types' + ), + }); }); }); }); @@ -926,30 +974,27 @@ describe('migrations v2 model', () => { const newState = model(state, res); expect(newState.controlState).toEqual('CALCULATE_EXCLUDE_FILTERS'); }); - test('CALCULATE_EXCLUDE_FILTERS -> CREATE_REINDEX_TEMP if action succeeds with filters', () => { + it('CALCULATE_EXCLUDE_FILTERS -> CREATE_REINDEX_TEMP if action succeeds with filters', () => { const res: ResponseType<'CALCULATE_EXCLUDE_FILTERS'> = Either.right({ - excludeFilter: { bool: { must: { term: { fieldA: 'abc' } } } }, + mustNotClauses: [{ term: { fieldA: 'abc' } }], errorsByType: { type1: new Error('an error!') }, }); const newState = model(state, res); expect(newState.controlState).toEqual('CREATE_REINDEX_TEMP'); - expect(newState.unusedTypesQuery).toEqual({ - // New filter should be combined unused type query and filter from response + + expect(newState.excludeOnUpgradeQuery).toEqual({ + // new filters should be added inside a must_not clause, enriching excludeOnUpgradeQuery bool: { - filter: [ + must_not: [ { - bool: { - must_not: [ - { - term: { - type: 'unused-fleet-agent-events', - }, - }, - ], + term: { + type: 'unused-fleet-agent-events', }, }, { - bool: { must: { term: { fieldA: 'abc' } } }, + term: { + fieldA: 'abc', + }, }, ], }, diff --git a/src/core/server/saved_objects/migrations/model/model.ts b/src/core/server/saved_objects/migrations/model/model.ts index accff9553c808..b552b9cbb049a 100644 --- a/src/core/server/saved_objects/migrations/model/model.ts +++ b/src/core/server/saved_objects/migrations/model/model.ts @@ -8,10 +8,9 @@ import * as Either from 'fp-ts/lib/Either'; import * as Option from 'fp-ts/lib/Option'; -import * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; -import { AliasAction, isLeftTypeof } from '../actions'; -import { AllActionStates, State } from '../state'; +import { type AliasAction, isTypeof } from '../actions'; +import type { AllActionStates, State } from '../state'; import type { ResponseType } from '../next'; import { disableUnknownTypeMappingFields } from '../core'; import { @@ -25,9 +24,13 @@ import { extractTransformFailuresReason, extractUnknownDocFailureReason, fatalReasonDocumentExceedsMaxBatchSizeBytes, + extractDiscardedUnknownDocs, } from './extract_errors'; import type { ExcludeRetryableEsError } from './types'; import { + addExcludedTypesToBoolQuery, + addMustClausesToBoolQuery, + addMustNotClausesToBoolQuery, getAliases, indexBelongsToLaterVersion, indexVersion, @@ -36,6 +39,7 @@ import { throwBadResponse, } from './helpers'; import { createBatches } from './create_batches'; +import type { MigrationLog } from '../types'; export const FATAL_REASON_REQUEST_ENTITY_TOO_LARGE = `While indexing a batch of saved objects, Elasticsearch returned a 413 Request Entity Too Large exception. Ensure that the Kibana configuration option 'migrations.maxBatchSizeBytes' is set to a value that is lower than or equal to the Elasticsearch 'http.max_content_length' configuration option.`; const CLUSTER_SHARD_LIMIT_EXCEEDED_REASON = `[cluster_shard_limit_exceeded] Upgrading Kibana requires adding a small number of new shards. Ensure that Kibana is able to add 10 more shards by increasing the cluster.max_shards_per_node setting, or removing indices to clear up resources.`; @@ -53,7 +57,7 @@ export const model = (currentState: State, resW: ResponseType): // Handle retryable_es_client_errors. Other left values need to be handled // by the control state specific code below. if (Either.isLeft(resW)) { - if (isLeftTypeof(resW.left, 'retryable_es_client_error')) { + if (isTypeof(resW.left, 'retryable_es_client_error')) { // Retry the same step after an exponentially increasing delay. return delayRetryState(stateP, resW.left.message, stateP.retryAttempts); } @@ -67,7 +71,7 @@ export const model = (currentState: State, resW: ResponseType): if (Either.isLeft(res)) { const left = res.left; - if (isLeftTypeof(left, 'incompatible_cluster_routing_allocation')) { + if (isTypeof(left, 'incompatible_cluster_routing_allocation')) { const retryErrorMessage = `[${left.type}] Incompatible Elasticsearch cluster settings detected. Remove the persistent and transient Elasticsearch cluster setting 'cluster.routing.allocation.enable' or set it to a value of 'all' to allow migrations to proceed. Refer to ${stateP.migrationDocLinks.routingAllocationDisabled} for more information on how to resolve the issue.`; return delayRetryState(stateP, retryErrorMessage, stateP.retryAttempts); } else { @@ -209,7 +213,7 @@ export const model = (currentState: State, resW: ResponseType): // If the write block failed because the index doesn't exist, it means // another instance already completed the legacy pre-migration. Proceed // to the next step. - if (isLeftTypeof(res.left, 'index_not_found_exception')) { + if (isTypeof(res.left, 'index_not_found_exception')) { return { ...stateP, controlState: 'LEGACY_CREATE_REINDEX_TARGET' }; } else { // @ts-expect-error TS doesn't correctly narrow this type to never @@ -222,7 +226,7 @@ export const model = (currentState: State, resW: ResponseType): const res = resW as ExcludeRetryableEsError>; if (Either.isLeft(res)) { const left = res.left; - if (isLeftTypeof(left, 'index_not_yellow_timeout')) { + if (isTypeof(left, 'index_not_yellow_timeout')) { // `index_not_yellow_timeout` for the LEGACY_CREATE_REINDEX_TARGET source index: // A yellow status timeout could theoretically be temporary for a busy cluster // that takes a long time to allocate the primary and we retry the action to see if @@ -231,7 +235,7 @@ export const model = (currentState: State, resW: ResponseType): // continue to timeout and eventually lead to a failed migration. const retryErrorMessage = `${left.message} Refer to ${stateP.migrationDocLinks.repeatedTimeoutRequests} for information on how to resolve the issue.`; return delayRetryState(stateP, retryErrorMessage, stateP.retryAttempts); - } else if (isLeftTypeof(left, 'cluster_shard_limit_exceeded')) { + } else if (isTypeof(left, 'cluster_shard_limit_exceeded')) { return { ...stateP, controlState: 'FATAL', @@ -272,8 +276,8 @@ export const model = (currentState: State, resW: ResponseType): } else { const left = res.left; if ( - (isLeftTypeof(left, 'index_not_found_exception') && left.index === stateP.legacyIndex) || - isLeftTypeof(left, 'target_index_had_write_block') + (isTypeof(left, 'index_not_found_exception') && left.index === stateP.legacyIndex) || + isTypeof(left, 'target_index_had_write_block') ) { // index_not_found_exception for the LEGACY_REINDEX source index: // another instance already complete the LEGACY_DELETE step. @@ -286,15 +290,15 @@ export const model = (currentState: State, resW: ResponseType): // step. However, by not skipping ahead we limit branches in the // control state progression and simplify the implementation. return { ...stateP, controlState: 'LEGACY_DELETE' }; - } else if (isLeftTypeof(left, 'wait_for_task_completion_timeout')) { + } else if (isTypeof(left, 'wait_for_task_completion_timeout')) { // After waiting for the specified timeout, the task has not yet // completed. Retry this step to see if the task has completed after an // exponential delay. We will basically keep polling forever until the // Elasticsearch task succeeds or fails. return delayRetryState(stateP, left.message, Number.MAX_SAFE_INTEGER); } else if ( - isLeftTypeof(left, 'index_not_found_exception') || - isLeftTypeof(left, 'incompatible_mapping_exception') + isTypeof(left, 'index_not_found_exception') || + isTypeof(left, 'incompatible_mapping_exception') ) { // We don't handle the following errors as the algorithm will never // run into these during the LEGACY_REINDEX_WAIT_FOR_TASK step: @@ -312,8 +316,8 @@ export const model = (currentState: State, resW: ResponseType): } else if (Either.isLeft(res)) { const left = res.left; if ( - isLeftTypeof(left, 'remove_index_not_a_concrete_index') || - (isLeftTypeof(left, 'index_not_found_exception') && left.index === stateP.legacyIndex) + isTypeof(left, 'remove_index_not_a_concrete_index') || + (isTypeof(left, 'index_not_found_exception') && left.index === stateP.legacyIndex) ) { // index_not_found_exception, another Kibana instance already // deleted the legacy index @@ -327,8 +331,8 @@ export const model = (currentState: State, resW: ResponseType): // control state progression and simplify the implementation. return { ...stateP, controlState: 'SET_SOURCE_WRITE_BLOCK' }; } else if ( - isLeftTypeof(left, 'index_not_found_exception') || - isLeftTypeof(left, 'alias_not_found_exception') + isTypeof(left, 'index_not_found_exception') || + isTypeof(left, 'alias_not_found_exception') ) { // We don't handle the following errors as the migration algorithm // will never cause them to occur: @@ -351,7 +355,7 @@ export const model = (currentState: State, resW: ResponseType): }; } else if (Either.isLeft(res)) { const left = res.left; - if (isLeftTypeof(left, 'index_not_yellow_timeout')) { + if (isTypeof(left, 'index_not_yellow_timeout')) { // A yellow status timeout could theoretically be temporary for a busy cluster // that takes a long time to allocate the primary and we retry the action to see if // we get a response. @@ -368,36 +372,61 @@ export const model = (currentState: State, resW: ResponseType): } else if (stateP.controlState === 'CHECK_UNKNOWN_DOCUMENTS') { const res = resW as ExcludeRetryableEsError>; - if (Either.isRight(res)) { - const source = stateP.sourceIndex; - const target = stateP.versionIndex; - return { - ...stateP, - controlState: 'SET_SOURCE_WRITE_BLOCK', - sourceIndex: source, - targetIndex: target, - targetIndexMappings: disableUnknownTypeMappingFields( - stateP.targetIndexMappings, - stateP.sourceIndexMappings - ), - versionIndexReadyActions: Option.some([ - { remove: { index: source.value, alias: stateP.currentAlias, must_exist: true } }, - { add: { index: target, alias: stateP.currentAlias } }, - { add: { index: target, alias: stateP.versionAlias } }, - { remove_index: { index: stateP.tempIndex } }, - ]), - }; - } else { - if (isLeftTypeof(res.left, 'unknown_docs_found')) { + let logs: MigrationLog[] = stateP.logs; + let excludeOnUpgradeQuery = stateP.excludeOnUpgradeQuery; + + if (isTypeof(res.right, 'unknown_docs_found')) { + if (!stateP.discardUnknownObjects) { return { ...stateP, controlState: 'FATAL', - reason: extractUnknownDocFailureReason(res.left.unknownDocs, stateP.sourceIndex.value), + reason: extractUnknownDocFailureReason( + stateP.migrationDocLinks.resolveMigrationFailures, + res.right.unknownDocs + ), }; - } else { - return throwBadResponse(stateP, res.left); } + + // at this point, users have configured kibana to discard unknown objects + // thus, we can ignore unknown documents and proceed with the migration + logs = [ + ...stateP.logs, + { level: 'warning', message: extractDiscardedUnknownDocs(res.right.unknownDocs) }, + ]; + + const unknownTypes = [...new Set(res.right.unknownDocs.map(({ type }) => type))]; + + excludeOnUpgradeQuery = addExcludedTypesToBoolQuery( + unknownTypes, + stateP.excludeOnUpgradeQuery?.bool + ); + + excludeOnUpgradeQuery = addMustClausesToBoolQuery( + [{ exists: { field: 'type' } }], + excludeOnUpgradeQuery.bool + ); } + + const source = stateP.sourceIndex; + const target = stateP.versionIndex; + return { + ...stateP, + controlState: 'SET_SOURCE_WRITE_BLOCK', + logs, + excludeOnUpgradeQuery, + sourceIndex: source, + targetIndex: target, + targetIndexMappings: disableUnknownTypeMappingFields( + stateP.targetIndexMappings, + stateP.sourceIndexMappings + ), + versionIndexReadyActions: Option.some([ + { remove: { index: source.value, alias: stateP.currentAlias, must_exist: true } }, + { add: { index: target, alias: stateP.currentAlias } }, + { add: { index: target, alias: stateP.versionAlias } }, + { remove_index: { index: stateP.tempIndex } }, + ]), + }; } else if (stateP.controlState === 'SET_SOURCE_WRITE_BLOCK') { const res = resW as ExcludeRetryableEsError>; if (Either.isRight(res)) { @@ -406,7 +435,7 @@ export const model = (currentState: State, resW: ResponseType): ...stateP, controlState: 'CALCULATE_EXCLUDE_FILTERS', }; - } else if (isLeftTypeof(res.left, 'index_not_found_exception')) { + } else if (isTypeof(res.left, 'index_not_found_exception')) { // We don't handle the following errors as the migration algorithm // will never cause them to occur: // - index_not_found_exception @@ -418,16 +447,15 @@ export const model = (currentState: State, resW: ResponseType): const res = resW as ExcludeRetryableEsError>; if (Either.isRight(res)) { - const unusedTypesQuery: estypes.QueryDslQueryContainer = { - bool: { - filter: [stateP.unusedTypesQuery, res.right.excludeFilter], - }, - }; + const excludeOnUpgradeQuery = addMustNotClausesToBoolQuery( + res.right.mustNotClauses, + stateP.excludeOnUpgradeQuery?.bool + ); return { ...stateP, controlState: 'CREATE_REINDEX_TEMP', - unusedTypesQuery, + excludeOnUpgradeQuery, logs: [ ...stateP.logs, ...Object.entries(res.right.errorsByType).map(([soType, error]) => ({ @@ -445,7 +473,7 @@ export const model = (currentState: State, resW: ResponseType): return { ...stateP, controlState: 'REINDEX_SOURCE_TO_TEMP_OPEN_PIT' }; } else if (Either.isLeft(res)) { const left = res.left; - if (isLeftTypeof(left, 'index_not_yellow_timeout')) { + if (isTypeof(left, 'index_not_yellow_timeout')) { // `index_not_yellow_timeout` for the CREATE_REINDEX_TEMP target temp index: // The index status did not go yellow within the specified timeout period. // A yellow status timeout could theoretically be temporary for a busy cluster. @@ -454,7 +482,7 @@ export const model = (currentState: State, resW: ResponseType): // continue to timeout and eventually lead to a failed migration. const retryErrorMessage = `${left.message} Refer to ${stateP.migrationDocLinks.repeatedTimeoutRequests} for information on how to resolve the issue.`; return delayRetryState(stateP, retryErrorMessage, stateP.retryAttempts); - } else if (isLeftTypeof(left, 'cluster_shard_limit_exceeded')) { + } else if (isTypeof(left, 'cluster_shard_limit_exceeded')) { return { ...stateP, controlState: 'FATAL', @@ -588,7 +616,7 @@ export const model = (currentState: State, resW: ResponseType): } else { // we have failures from the current batch of documents and add them to the lists const left = res.left; - if (isLeftTypeof(left, 'documents_transform_failed')) { + if (isTypeof(left, 'documents_transform_failed')) { return { ...stateP, controlState: 'REINDEX_SOURCE_TO_TEMP_READ', @@ -621,8 +649,8 @@ export const model = (currentState: State, resW: ResponseType): } } else { if ( - isLeftTypeof(res.left, 'target_index_had_write_block') || - isLeftTypeof(res.left, 'index_not_found_exception') + isTypeof(res.left, 'target_index_had_write_block') || + isTypeof(res.left, 'index_not_found_exception') ) { // When the temp index has a write block or has been deleted another // instance already completed this step. Close the PIT search and carry @@ -631,7 +659,7 @@ export const model = (currentState: State, resW: ResponseType): ...stateP, controlState: 'REINDEX_SOURCE_TO_TEMP_CLOSE_PIT', }; - } else if (isLeftTypeof(res.left, 'request_entity_too_large_exception')) { + } else if (isTypeof(res.left, 'request_entity_too_large_exception')) { return { ...stateP, controlState: 'FATAL', @@ -649,7 +677,7 @@ export const model = (currentState: State, resW: ResponseType): }; } else { const left = res.left; - if (isLeftTypeof(left, 'index_not_found_exception')) { + if (isTypeof(left, 'index_not_found_exception')) { // index_not_found_exception: // another instance completed the MARK_VERSION_INDEX_READY and // removed the temp index. @@ -673,7 +701,7 @@ export const model = (currentState: State, resW: ResponseType): }; } else { const left = res.left; - if (isLeftTypeof(left, 'index_not_found_exception')) { + if (isTypeof(left, 'index_not_found_exception')) { // index_not_found_exception means another instance already completed // the MARK_VERSION_INDEX_READY step and removed the temp index // We still perform the REFRESH_TARGET, OUTDATED_DOCUMENTS_* and @@ -683,7 +711,7 @@ export const model = (currentState: State, resW: ResponseType): ...stateP, controlState: 'REFRESH_TARGET', }; - } else if (isLeftTypeof(left, 'index_not_yellow_timeout')) { + } else if (isTypeof(left, 'index_not_yellow_timeout')) { // `index_not_yellow_timeout` for the CLONE_TEMP_TO_TARGET source -> target index: // The target index status did not go yellow within the specified timeout period. // The cluster could just be busy and we retry the action. @@ -695,7 +723,7 @@ export const model = (currentState: State, resW: ResponseType): // continue to timeout and eventually lead to a failed migration. const retryErrorMessage = `${left.message} Refer to ${stateP.migrationDocLinks.repeatedTimeoutRequests} for information on how to resolve the issue.`; return delayRetryState(stateP, retryErrorMessage, stateP.retryAttempts); - } else if (isLeftTypeof(left, 'cluster_shard_limit_exceeded')) { + } else if (isTypeof(left, 'cluster_shard_limit_exceeded')) { return { ...stateP, controlState: 'FATAL', @@ -817,7 +845,7 @@ export const model = (currentState: State, resW: ResponseType): }; } } else { - if (isLeftTypeof(res.left, 'documents_transform_failed')) { + if (isTypeof(res.left, 'documents_transform_failed')) { // continue to build up any more transformation errors before failing the migration. return { ...stateP, @@ -849,15 +877,15 @@ export const model = (currentState: State, resW: ResponseType): hasTransformedDocs: true, }; } else { - if (isLeftTypeof(res.left, 'request_entity_too_large_exception')) { + if (isTypeof(res.left, 'request_entity_too_large_exception')) { return { ...stateP, controlState: 'FATAL', reason: FATAL_REASON_REQUEST_ENTITY_TOO_LARGE, }; } else if ( - isLeftTypeof(res.left, 'target_index_had_write_block') || - isLeftTypeof(res.left, 'index_not_found_exception') + isTypeof(res.left, 'target_index_had_write_block') || + isTypeof(res.left, 'index_not_found_exception') ) { // we fail on these errors since the target index will never get // deleted and should only have a write block if a newer version of @@ -929,7 +957,7 @@ export const model = (currentState: State, resW: ResponseType): } } else { const left = res.left; - if (isLeftTypeof(left, 'wait_for_task_completion_timeout')) { + if (isTypeof(left, 'wait_for_task_completion_timeout')) { // After waiting for the specified timeout, the task has not yet // completed. Retry this step to see if the task has completed after an // exponential delay. We will basically keep polling forever until the @@ -948,7 +976,7 @@ export const model = (currentState: State, resW: ResponseType): }; } else if (Either.isLeft(res)) { const left = res.left; - if (isLeftTypeof(left, 'index_not_yellow_timeout')) { + if (isTypeof(left, 'index_not_yellow_timeout')) { // `index_not_yellow_timeout` for the CREATE_NEW_TARGET target index: // The cluster might just be busy and we retry the action for a set number of times. // If the cluster hit the low watermark for disk usage the action will continue to timeout. @@ -956,7 +984,7 @@ export const model = (currentState: State, resW: ResponseType): // continue to timeout and eventually lead to a failed migration. const retryErrorMessage = `${left.message} Refer to ${stateP.migrationDocLinks.repeatedTimeoutRequests} for information on how to resolve the issue.`; return delayRetryState(stateP, retryErrorMessage, stateP.retryAttempts); - } else if (isLeftTypeof(left, 'cluster_shard_limit_exceeded')) { + } else if (isTypeof(left, 'cluster_shard_limit_exceeded')) { return { ...stateP, controlState: 'FATAL', @@ -977,13 +1005,13 @@ export const model = (currentState: State, resW: ResponseType): return { ...stateP, controlState: 'DONE' }; } else { const left = res.left; - if (isLeftTypeof(left, 'alias_not_found_exception')) { + if (isTypeof(left, 'alias_not_found_exception')) { // the versionIndexReadyActions checks that the currentAlias is still // pointing to the source index. If this fails with an // alias_not_found_exception another instance has completed a // migration from the same source. return { ...stateP, controlState: 'MARK_VERSION_INDEX_READY_CONFLICT' }; - } else if (isLeftTypeof(left, 'index_not_found_exception')) { + } else if (isTypeof(left, 'index_not_found_exception')) { if (left.index === stateP.tempIndex) { // another instance has already completed the migration and deleted // the temporary index @@ -994,7 +1022,7 @@ export const model = (currentState: State, resW: ResponseType): // index handled above. throwBadResponse(stateP, left as never); } - } else if (isLeftTypeof(left, 'remove_index_not_a_concrete_index')) { + } else if (isTypeof(left, 'remove_index_not_a_concrete_index')) { // We don't handle this error as the migration algorithm will never // cause it to occur (this error is only relevant to the LEGACY_DELETE // step). diff --git a/src/core/server/saved_objects/migrations/next.ts b/src/core/server/saved_objects/migrations/next.ts index 24a4204c3009e..e50331d3b7658 100644 --- a/src/core/server/saved_objects/migrations/next.ts +++ b/src/core/server/saved_objects/migrations/next.ts @@ -40,9 +40,9 @@ import type { CheckUnknownDocumentsState, CalculateExcludeFiltersState, } from './state'; -import { TransformRawDocs } from './types'; +import type { TransformRawDocs } from './types'; import * as Actions from './actions'; -import { ElasticsearchClient } from '../../elasticsearch'; +import type { ElasticsearchClient } from '../../elasticsearch'; type ActionMap = ReturnType; @@ -66,7 +66,7 @@ export const nextActionMap = (client: ElasticsearchClient, transformRawDocs: Tra Actions.checkForUnknownDocs({ client, indexName: state.sourceIndex.value, - unusedTypesQuery: state.unusedTypesQuery, + excludeOnUpgradeQuery: state.excludeOnUpgradeQuery, knownTypes: state.knownTypes, }), SET_SOURCE_WRITE_BLOCK: (state: SetSourceWriteBlockState) => @@ -98,7 +98,7 @@ export const nextActionMap = (client: ElasticsearchClient, transformRawDocs: Tra * are no longer used. These saved objects will still be kept in the outdated * index for backup purposes, but won't be available in the upgraded index. */ - query: state.unusedTypesQuery, + query: state.excludeOnUpgradeQuery, batchSize: state.batchSize, searchAfter: state.lastHitSortValue, }), @@ -187,7 +187,7 @@ export const nextActionMap = (client: ElasticsearchClient, transformRawDocs: Tra targetIndex: state.sourceIndex.value, reindexScript: state.preMigrationScript, requireAlias: false, - unusedTypesQuery: state.unusedTypesQuery, + excludeOnUpgradeQuery: state.excludeOnUpgradeQuery, }), LEGACY_REINDEX_WAIT_FOR_TASK: (state: LegacyReindexWaitForTaskState) => Actions.waitForReindexTask({ client, taskId: state.legacyReindexTaskId, timeout: '60s' }), diff --git a/src/core/server/saved_objects/migrations/run_resilient_migrator.ts b/src/core/server/saved_objects/migrations/run_resilient_migrator.ts index 6e5766c9f5dcf..194496b826b0e 100644 --- a/src/core/server/saved_objects/migrations/run_resilient_migrator.ts +++ b/src/core/server/saved_objects/migrations/run_resilient_migrator.ts @@ -59,6 +59,7 @@ export async function runResilientMigrator({ migrationsConfig, typeRegistry, docLinks, + logger, }); return migrationStateActionMachine({ initialState, diff --git a/src/core/server/saved_objects/migrations/state.ts b/src/core/server/saved_objects/migrations/state.ts index dee6839d6b902..3dac96987eb92 100644 --- a/src/core/server/saved_objects/migrations/state.ts +++ b/src/core/server/saved_objects/migrations/state.ts @@ -7,15 +7,15 @@ */ import * as Option from 'fp-ts/lib/Option'; -import * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; +import type { QueryDslQueryContainer } from '@elastic/elasticsearch/lib/api/types'; import type { DocLinks } from '@kbn/doc-links'; -import { ControlState } from './state_action_machine'; -import { AliasAction } from './actions'; -import { IndexMapping } from '../mappings'; -import { SavedObjectsRawDoc } from '..'; -import { TransformErrorObjects } from './core'; -import { SavedObjectTypeExcludeFromUpgradeFilterHook } from '../types'; -import { MigrationLog, Progress } from './types'; +import type { ControlState } from './state_action_machine'; +import type { AliasAction } from './actions'; +import type { IndexMapping } from '../mappings'; +import type { SavedObjectsRawDoc } from '..'; +import type { TransformErrorObjects } from './core'; +import type { SavedObjectTypeExcludeFromUpgradeFilterHook } from '../types'; +import type { MigrationLog, Progress } from './types'; export interface BaseState extends ControlState { /** The first part of the index name such as `.kibana` or `.kibana_task_manager` */ @@ -39,7 +39,7 @@ export interface BaseState extends ControlState { readonly tempIndexMappings: IndexMapping; /** Script to apply to a legacy index before it can be used as a migration source */ readonly preMigrationScript: Option.Option; - readonly outdatedDocumentsQuery: estypes.QueryDslQueryContainer; + readonly outdatedDocumentsQuery: QueryDslQueryContainer; readonly retryCount: number; readonly retryDelay: number; /** @@ -87,6 +87,14 @@ export interface BaseState extends ControlState { */ readonly maxBatchSizeBytes: number; readonly logs: MigrationLog[]; + /** + * If saved objects exist which have an unknown type they will cause + * the migration to fail. If this flag is set to `true`, kibana will + * discard the unknown objects and proceed with the migration. + * This can happen, for instance, if a plugin that had registered some + * saved objects is disabled. + */ + readonly discardUnknownObjects: boolean; /** * The current alias e.g. `.kibana` which always points to the latest * version index @@ -107,11 +115,16 @@ export interface BaseState extends ControlState { */ readonly tempIndex: string; /** - * When reindexing we use a source query to exclude saved objects types which - * are no longer used. These saved objects will still be kept in the outdated + * When upgrading to a more recent kibana version, some saved object types + * might be conflicting or no longer used. + * When reindexing, we use a source query to exclude types which are: + * - no longer used + * - unknown (e.g. belonging to plugins that have been disabled) + * - explicitly excluded from upgrades by plugin developers + * These saved objects will still be kept in the outdated * index for backup purposes, but won't be available in the upgraded index. */ - readonly unusedTypesQuery: estypes.QueryDslQueryContainer; + readonly excludeOnUpgradeQuery: QueryDslQueryContainer; /** * The list of known SO types that are registered. */ @@ -146,7 +159,7 @@ export interface PostInitState extends BaseState { /** The target index is the index to which the migration writes */ readonly targetIndex: string; readonly versionIndexReadyActions: Option.Option; - readonly outdatedDocumentsQuery: estypes.QueryDslQueryContainer; + readonly outdatedDocumentsQuery: QueryDslQueryContainer; } export interface DoneState extends PostInitState { diff --git a/src/core/server/saved_objects/saved_objects_config.ts b/src/core/server/saved_objects/saved_objects_config.ts index e5dc64186f66d..f3b73897fbf1b 100644 --- a/src/core/server/saved_objects/saved_objects_config.ts +++ b/src/core/server/saved_objects/saved_objects_config.ts @@ -6,12 +6,19 @@ * Side Public License, v 1. */ +import { valid } from 'semver'; import { schema, TypeOf } from '@kbn/config-schema'; -import type { ServiceConfigDescriptor } from '../internal_types'; +import type { ServiceConfigDescriptor } from '@kbn/core-base-server-internal'; const migrationSchema = schema.object({ batchSize: schema.number({ defaultValue: 1_000 }), maxBatchSizeBytes: schema.byteSize({ defaultValue: '100mb' }), // 100mb is the default http.max_content_length Elasticsearch config value + discardUnknownObjects: schema.maybe( + schema.string({ + validate: (value: string) => + valid(value) ? undefined : 'The value is not a valid semantic version', + }) + ), scrollDuration: schema.string({ defaultValue: '15m' }), pollInterval: schema.number({ defaultValue: 1_500 }), skip: schema.boolean({ defaultValue: false }), diff --git a/src/core/server/saved_objects/saved_objects_service.test.ts b/src/core/server/saved_objects/saved_objects_service.test.ts index d1651046f6124..dee8c3d427007 100644 --- a/src/core/server/saved_objects/saved_objects_service.test.ts +++ b/src/core/server/saved_objects/saved_objects_service.test.ts @@ -18,14 +18,13 @@ import { typeRegistryInstanceMock, } from './saved_objects_service.test.mocks'; import { BehaviorSubject } from 'rxjs'; -import { RawPackageInfo } from '@kbn/config'; +import { RawPackageInfo, Env } from '@kbn/config'; import { ByteSizeValue } from '@kbn/config-schema'; import { REPO_ROOT } from '@kbn/utils'; +import { getEnvOptions } from '@kbn/config-mocks'; import { SavedObjectsService } from './saved_objects_service'; import { mockCoreContext } from '../core_context.mock'; -import { Env } from '../config'; -import { getEnvOptions } from '../config/mocks'; import { configServiceMock } from '../mocks'; import { elasticsearchServiceMock } from '../elasticsearch/elasticsearch_service.mock'; import { coreUsageDataServiceMock } from '../core_usage_data/core_usage_data_service.mock'; diff --git a/src/core/server/saved_objects/saved_objects_service.ts b/src/core/server/saved_objects/saved_objects_service.ts index c56a53b05a4ce..2a72a9e77e215 100644 --- a/src/core/server/saved_objects/saved_objects_service.ts +++ b/src/core/server/saved_objects/saved_objects_service.ts @@ -9,14 +9,13 @@ import { Subject, Observable, firstValueFrom } from 'rxjs'; import { filter, take, switchMap } from 'rxjs/operators'; import type { Logger } from '@kbn/logging'; -import { CoreService } from '../../types'; +import type { CoreContext, CoreService } from '@kbn/core-base-server-internal'; import { SavedObjectsClient, SavedObjectsClientProvider, SavedObjectsClientProviderOptions, } from '.'; import { KibanaMigrator, IKibanaMigrator } from './migrations'; -import { CoreContext } from '../core_context'; import { InternalCoreUsageDataSetup } from '../core_usage_data'; import { ElasticsearchClient, diff --git a/src/core/server/saved_objects/validation/integration_tests/validator.test.ts b/src/core/server/saved_objects/validation/integration_tests/validator.test.ts index 5d6ea6a0e6e1b..83d6b0f087804 100644 --- a/src/core/server/saved_objects/validation/integration_tests/validator.test.ts +++ b/src/core/server/saved_objects/validation/integration_tests/validator.test.ts @@ -14,7 +14,7 @@ import { schema } from '@kbn/config-schema'; import { REPO_ROOT } from '@kbn/utils'; import { SavedObjectsType } from '../../types'; import { ISavedObjectsRepository } from '../../service/lib'; -import { getEnvOptions } from '../../../config/mocks'; +import { getEnvOptions } from '@kbn/config-mocks'; import { InternalCoreSetup, InternalCoreStart } from '../../../internal_types'; import { Root } from '../../../root'; import * as kbnTestServer from '../../../../test_helpers/kbn_server'; diff --git a/src/core/server/server.api.md b/src/core/server/server.api.md index bfada11a34bf2..b65d335783d43 100644 --- a/src/core/server/server.api.md +++ b/src/core/server/server.api.md @@ -23,7 +23,9 @@ import { ConfigDeprecationProvider } from '@kbn/config'; import { ConfigPath } from '@kbn/config'; import { ConfigService } from '@kbn/config'; import { ContextProviderOpts } from '@kbn/analytics-client'; +import { CoreId } from '@kbn/core-base-common-internal'; import { DetailedPeerCertificate } from 'tls'; +import { DiscoveredPlugin } from '@kbn/core-base-common'; import type { DocLinks } from '@kbn/doc-links'; import { Duration } from 'moment'; import { Duration as Duration_2 } from 'moment-timezone'; @@ -53,6 +55,9 @@ import { OptInConfig } from '@kbn/analytics-client'; import { PackageInfo } from '@kbn/config'; import { PathConfigType } from '@kbn/utils'; import { PeerCertificate } from 'tls'; +import { PluginName } from '@kbn/core-base-common'; +import { PluginOpaqueId } from '@kbn/core-base-common'; +import { PluginType } from '@kbn/core-base-common'; import { Readable } from 'stream'; import { RecursiveReadonly } from '@kbn/utility-types'; import { Request as Request_2 } from '@hapi/hapi'; @@ -421,8 +426,7 @@ export interface CoreEnvironmentUsageData { }; } -// @internal (undocumented) -export type CoreId = symbol; +export { CoreId } // @internal export interface CoreIncrementCounterParams { @@ -920,16 +924,7 @@ export interface DeprecationsServiceSetup { // @public export type DestructiveRouteMethod = 'post' | 'put' | 'delete' | 'patch'; -// @public -export interface DiscoveredPlugin { - readonly configPath: ConfigPath; - readonly enabledOnAnonymousPages?: boolean; - readonly id: PluginName; - readonly optionalPlugins: readonly PluginName[]; - readonly requiredBundles: readonly PluginName[]; - readonly requiredPlugins: readonly PluginName[]; - readonly type: PluginType; -} +export { DiscoveredPlugin } // @public (undocumented) export interface DocLinksServiceSetup { @@ -1475,7 +1470,7 @@ export type KibanaResponseFactory = typeof kibanaResponseFactory; // @public export const kibanaResponseFactory: { - custom: | Error | Buffer | { + custom: | Buffer | Error | { message: string | Error; attributes?: ResponseErrorAttributes | undefined; } | Stream | undefined>(options: CustomHttpResponseOptions) => KibanaResponse; @@ -1499,7 +1494,7 @@ export const kibanaResponseFactory: { message: string | Error; attributes?: ResponseErrorAttributes | undefined; }>; - customError: (options: CustomHttpResponseOptions) => KibanaResponse) => KibanaResponse; @@ -1799,11 +1794,9 @@ export interface PluginManifest { readonly version: string; } -// @public -export type PluginName = string; +export { PluginName } -// @public (undocumented) -export type PluginOpaqueId = symbol; +export { PluginOpaqueId } // @internal (undocumented) export interface PluginsServiceSetup { @@ -1816,11 +1809,7 @@ export interface PluginsServiceStart { contracts: Map; } -// @public (undocumented) -export enum PluginType { - preboot = "preboot", - standard = "standard" -} +export { PluginType } // @public (undocumented) export const pollEsNodesVersion: ({ internalClient, log, kibanaVersion, ignoreVersionMismatch, esVersionCheckInterval: healthCheckInterval, }: PollEsNodesVersionOptions) => Observable; @@ -3256,8 +3245,8 @@ export const validBodyOutput: readonly ["data", "stream"]; // // src/core/server/elasticsearch/client/types.ts:81:7 - (ae-forgotten-export) The symbol "Explanation" needs to be exported by the entry point index.d.ts // src/core/server/http/router/response.ts:302:3 - (ae-forgotten-export) The symbol "KibanaResponse" needs to be exported by the entry point index.d.ts -// src/core/server/plugins/types.ts:405:3 - (ae-forgotten-export) The symbol "SharedGlobalConfigKeys" needs to be exported by the entry point index.d.ts -// src/core/server/plugins/types.ts:407:3 - (ae-forgotten-export) The symbol "SavedObjectsConfigType" needs to be exported by the entry point index.d.ts -// src/core/server/plugins/types.ts:514:5 - (ae-unresolved-link) The @link reference could not be resolved: The package "kibana" does not have an export "create" +// src/core/server/plugins/types.ts:339:3 - (ae-forgotten-export) The symbol "SharedGlobalConfigKeys" needs to be exported by the entry point index.d.ts +// src/core/server/plugins/types.ts:341:3 - (ae-forgotten-export) The symbol "SavedObjectsConfigType" needs to be exported by the entry point index.d.ts +// src/core/server/plugins/types.ts:448:5 - (ae-unresolved-link) The @link reference could not be resolved: The package "kibana" does not have an export "create" ``` diff --git a/src/core/server/server.test.mocks.ts b/src/core/server/server.test.mocks.ts index 647d96cb79dbd..e2d9d01079555 100644 --- a/src/core/server/server.test.mocks.ts +++ b/src/core/server/server.test.mocks.ts @@ -29,7 +29,7 @@ jest.doMock('./elasticsearch/elasticsearch_service', () => ({ const realKbnConfig = jest.requireActual('@kbn/config'); -import { configServiceMock } from './config/mocks'; +import { configServiceMock } from '@kbn/config-mocks'; export const mockConfigService = configServiceMock.create(); jest.doMock('@kbn/config', () => ({ diff --git a/src/core/server/server.test.ts b/src/core/server/server.test.ts index 228af5532f416..b10c6c31f5aae 100644 --- a/src/core/server/server.test.ts +++ b/src/core/server/server.test.ts @@ -28,8 +28,8 @@ import { import { BehaviorSubject } from 'rxjs'; import { REPO_ROOT } from '@kbn/utils'; -import { rawConfigServiceMock, getEnvOptions } from './config/mocks'; -import { Env } from './config'; +import { Env } from '@kbn/config'; +import { rawConfigServiceMock, getEnvOptions } from '@kbn/config-mocks'; import { Server } from './server'; import { loggingSystemMock } from './logging/logging_system.mock'; diff --git a/src/core/server/server.ts b/src/core/server/server.ts index b83970b2da87c..57570e4d2e789 100644 --- a/src/core/server/server.ts +++ b/src/core/server/server.ts @@ -9,13 +9,9 @@ import apm from 'elastic-apm-node'; import { config as pathConfig } from '@kbn/utils'; import type { Logger, LoggerFactory } from '@kbn/logging'; -import { - ConfigService, - Env, - RawConfigurationProvider, - coreDeprecationProvider, - ensureValidConfiguration, -} from './config'; +import { ConfigService, Env, RawConfigurationProvider } from '@kbn/config'; +import type { ServiceConfigDescriptor } from '@kbn/core-base-server-internal'; +import { coreDeprecationProvider, ensureValidConfiguration } from './config'; import { CoreApp } from './core_app'; import { I18nService } from './i18n'; import { ElasticsearchService } from './elasticsearch'; @@ -43,12 +39,7 @@ import { config as uiSettingsConfig } from './ui_settings'; import { config as statusConfig } from './status'; import { config as i18nConfig } from './i18n'; import { ContextService } from './context'; -import { - InternalCorePreboot, - InternalCoreSetup, - InternalCoreStart, - ServiceConfigDescriptor, -} from './internal_types'; +import { InternalCorePreboot, InternalCoreSetup, InternalCoreStart } from './internal_types'; import { CoreUsageDataService } from './core_usage_data'; import { DeprecationsService, config as deprecationConfig } from './deprecations'; import { CoreRouteHandlerContext } from './core_route_handler_context'; diff --git a/src/core/server/status/cached_plugins_status.ts b/src/core/server/status/cached_plugins_status.ts index fec9f51e63172..4f574a6382106 100644 --- a/src/core/server/status/cached_plugins_status.ts +++ b/src/core/server/status/cached_plugins_status.ts @@ -8,7 +8,7 @@ import { Observable } from 'rxjs'; -import { type PluginName } from '../plugins'; +import type { PluginName } from '@kbn/core-base-common'; import { type ServiceStatus } from './types'; import { type Deps, PluginsStatusService as BasePluginsStatusService } from './plugins_status'; diff --git a/src/core/server/status/legacy_status.ts b/src/core/server/status/legacy_status.ts index 654427781ba9e..b9ae0461d91d7 100644 --- a/src/core/server/status/legacy_status.ts +++ b/src/core/server/status/legacy_status.ts @@ -10,8 +10,8 @@ import { pick } from 'lodash'; import { i18n } from '@kbn/i18n'; import { deepFreeze } from '@kbn/std'; +import type { PluginName } from '@kbn/core-base-common'; import { ServiceStatusLevels, ServiceStatus, CoreStatus } from './types'; -import { PluginName } from '../plugins'; interface Deps { overall: ServiceStatus; diff --git a/src/core/server/status/plugins_status.test.ts b/src/core/server/status/plugins_status.test.ts index 8130698379eda..eaab8841563b5 100644 --- a/src/core/server/status/plugins_status.test.ts +++ b/src/core/server/status/plugins_status.test.ts @@ -6,7 +6,7 @@ * Side Public License, v 1. */ -import { PluginName } from '../plugins'; +import type { PluginName } from '@kbn/core-base-common'; import { PluginsStatusService } from './plugins_status'; import { of, Observable, BehaviorSubject, ReplaySubject } from 'rxjs'; import { ServiceStatusLevels, CoreStatus, ServiceStatus } from './types'; diff --git a/src/core/server/status/plugins_status.ts b/src/core/server/status/plugins_status.ts index d77529f06ddec..a3e5294157780 100644 --- a/src/core/server/status/plugins_status.ts +++ b/src/core/server/status/plugins_status.ts @@ -17,7 +17,7 @@ import { import { sortBy } from 'lodash'; import { isDeepStrictEqual } from 'util'; -import { type PluginName } from '../plugins'; +import type { PluginName } from '@kbn/core-base-common'; import { type ServiceStatus, type CoreStatus, ServiceStatusLevels } from './types'; import { getSummaryStatus } from './get_summary_status'; diff --git a/src/core/server/status/routes/status.ts b/src/core/server/status/routes/status.ts index 4fb0900b23238..973551e81ff9e 100644 --- a/src/core/server/status/routes/status.ts +++ b/src/core/server/status/routes/status.ts @@ -8,14 +8,14 @@ import { Observable, combineLatest, ReplaySubject, firstValueFrom } from 'rxjs'; import { schema } from '@kbn/config-schema'; +import { PackageInfo } from '@kbn/config'; +import type { PluginName } from '@kbn/core-base-common'; import { IRouter } from '../../http'; import { MetricsServiceSetup } from '../../metrics'; import type { CoreIncrementUsageCounter } from '../../core_usage_data/types'; import { ServiceStatus, CoreStatus, ServiceStatusLevels } from '../types'; -import { PluginName } from '../../plugins'; import { calculateLegacyStatus, LegacyStatusInfo } from '../legacy_status'; -import { PackageInfo } from '../../config'; import { StatusResponse } from '../../../types/status'; const SNAPSHOT_POSTFIX = /-SNAPSHOT$/; diff --git a/src/core/server/status/status_config.ts b/src/core/server/status/status_config.ts index c2dedf9e11ecb..09e987a4e8d37 100644 --- a/src/core/server/status/status_config.ts +++ b/src/core/server/status/status_config.ts @@ -7,7 +7,7 @@ */ import { schema, TypeOf } from '@kbn/config-schema'; -import { ServiceConfigDescriptor } from '../internal_types'; +import type { ServiceConfigDescriptor } from '@kbn/core-base-server-internal'; const statusConfigSchema = schema.object({ allowAnonymous: schema.boolean({ defaultValue: false }), diff --git a/src/core/server/status/status_service.test.ts b/src/core/server/status/status_service.test.ts index 70181db9380ff..d39e6e3a3e70f 100644 --- a/src/core/server/status/status_service.test.ts +++ b/src/core/server/status/status_service.test.ts @@ -22,7 +22,7 @@ import { environmentServiceMock } from '../environment/environment_service.mock' import { httpServiceMock } from '../http/http_service.mock'; import { mockRouter, RouterMock } from '../http/router/router.mock'; import { metricsServiceMock } from '../metrics/metrics_service.mock'; -import { configServiceMock } from '../config/mocks'; +import { configServiceMock } from '@kbn/config-mocks'; import { coreUsageDataServiceMock } from '../core_usage_data/core_usage_data_service.mock'; import { analyticsServiceMock } from '../analytics/analytics_service.mock'; import { AnalyticsServiceSetup } from '..'; diff --git a/src/core/server/status/status_service.ts b/src/core/server/status/status_service.ts index 2350068d50266..65ddfc799facd 100644 --- a/src/core/server/status/status_service.ts +++ b/src/core/server/status/status_service.ts @@ -19,15 +19,13 @@ import { map, distinctUntilChanged, shareReplay, debounceTime, takeUntil } from import { isDeepStrictEqual } from 'util'; import type { RootSchema } from '@kbn/analytics-client'; -import type { Logger, LogMeta } from '@kbn/logging'; - +import { Logger, LogMeta } from '@kbn/logging'; +import type { CoreContext, CoreService } from '@kbn/core-base-server-internal'; +import type { PluginName } from '@kbn/core-base-common'; import { AnalyticsServiceSetup } from '../analytics'; -import { CoreService } from '../../types'; -import { CoreContext } from '../core_context'; import { InternalElasticsearchServiceSetup } from '../elasticsearch'; import { InternalHttpServiceSetup } from '../http'; import { InternalSavedObjectsServiceSetup } from '../saved_objects'; -import { PluginName } from '../plugins'; import { InternalMetricsServiceSetup } from '../metrics'; import { registerStatusRoute } from './routes'; import { InternalEnvironmentServiceSetup } from '../environment'; diff --git a/src/core/server/status/types.ts b/src/core/server/status/types.ts index 564a2232cc310..b44dde13983bb 100644 --- a/src/core/server/status/types.ts +++ b/src/core/server/status/types.ts @@ -8,7 +8,7 @@ import { Observable } from 'rxjs'; import { deepFreeze } from '@kbn/std'; -import { PluginName } from '../plugins'; +import type { PluginName } from '@kbn/core-base-common'; /** * The current status of a service at a point in time. diff --git a/src/core/server/ui_settings/integration_tests/index.test.ts b/src/core/server/ui_settings/integration_tests/index.test.ts index 3f85beb2acec6..6ca80d3a3ba11 100644 --- a/src/core/server/ui_settings/integration_tests/index.test.ts +++ b/src/core/server/ui_settings/integration_tests/index.test.ts @@ -8,7 +8,7 @@ import { Env } from '@kbn/config'; import { REPO_ROOT } from '@kbn/utils'; -import { getEnvOptions } from '../../config/mocks'; +import { getEnvOptions } from '@kbn/config-mocks'; import { startServers, stopServers } from './lib'; import { docExistsSuite } from './doc_exists'; import { docMissingSuite } from './doc_missing'; diff --git a/src/core/server/ui_settings/ui_settings_config.ts b/src/core/server/ui_settings/ui_settings_config.ts index 2dc151aeecec8..20d2c5f30e396 100644 --- a/src/core/server/ui_settings/ui_settings_config.ts +++ b/src/core/server/ui_settings/ui_settings_config.ts @@ -7,8 +7,8 @@ */ import { schema, TypeOf } from '@kbn/config-schema'; -import { ConfigDeprecationProvider } from '..'; -import { ServiceConfigDescriptor } from '../internal_types'; +import type { ServiceConfigDescriptor } from '@kbn/core-base-server-internal'; +import { ConfigDeprecationProvider } from '@kbn/config'; const deprecations: ConfigDeprecationProvider = ({ unused, renameFromRoot }) => [ unused('enabled', { level: 'warning' }), diff --git a/src/core/server/ui_settings/ui_settings_service.ts b/src/core/server/ui_settings/ui_settings_service.ts index 3e37ec1e5ffef..d303060d55595 100644 --- a/src/core/server/ui_settings/ui_settings_service.ts +++ b/src/core/server/ui_settings/ui_settings_service.ts @@ -10,8 +10,7 @@ import { firstValueFrom, Observable } from 'rxjs'; import { mapToObject } from '@kbn/std'; import type { Logger } from '@kbn/logging'; -import { CoreService } from '../../types'; -import { CoreContext } from '../core_context'; +import type { CoreContext, CoreService } from '@kbn/core-base-server-internal'; import { SavedObjectsClientContract } from '../saved_objects/types'; import { InternalSavedObjectsServiceSetup } from '../saved_objects'; import { InternalHttpServiceSetup } from '../http'; diff --git a/src/core/test_helpers/http_test_setup.ts b/src/core/test_helpers/http_test_setup.ts index 67b340898aab4..2a7d6451319cb 100644 --- a/src/core/test_helpers/http_test_setup.ts +++ b/src/core/test_helpers/http_test_setup.ts @@ -6,9 +6,9 @@ * Side Public License, v 1. */ +import { injectedMetadataServiceMock } from '@kbn/core-injected-metadata-browser-mocks'; import { HttpService } from '../public/http'; import { fatalErrorsServiceMock } from '../public/fatal_errors/fatal_errors_service.mock'; -import { injectedMetadataServiceMock } from '../public/injected_metadata/injected_metadata_service.mock'; import { executionContextServiceMock } from '../public/execution_context/execution_context_service.mock'; export type SetupTap = ( diff --git a/src/core/test_helpers/kbn_server.ts b/src/core/test_helpers/kbn_server.ts index c2eca55e59a9e..022d60acbed9b 100644 --- a/src/core/test_helpers/kbn_server.ts +++ b/src/core/test_helpers/kbn_server.ts @@ -6,6 +6,10 @@ * Side Public License, v 1. */ +import { defaultsDeep } from 'lodash'; +import { BehaviorSubject } from 'rxjs'; +import supertest from 'supertest'; + import { ToolingLog } from '@kbn/tooling-log'; import { REPO_ROOT } from '@kbn/utils'; import { @@ -15,12 +19,9 @@ import { kibanaServerTestUser, systemIndicesSuperuser, } from '@kbn/test'; -import { defaultsDeep } from 'lodash'; -import { BehaviorSubject } from 'rxjs'; -import supertest from 'supertest'; +import { CliArgs, Env } from '@kbn/config'; import { InternalCoreSetup, InternalCoreStart } from '../server/internal_types'; -import { CliArgs, Env } from '../server/config'; import { Root } from '../server/root'; export type HttpMethod = 'delete' | 'get' | 'head' | 'post' | 'put'; diff --git a/src/core/types/index.ts b/src/core/types/index.ts index 280310aee8c55..1c12a87b1d3a1 100644 --- a/src/core/types/index.ts +++ b/src/core/types/index.ts @@ -10,7 +10,6 @@ * Use * syntax so that these exports do not break when internal * types are stripped. */ -export * from './core_service'; export * from './capabilities'; export * from './app_category'; export * from './ui_settings'; diff --git a/src/dev/build/tasks/os_packages/run_fpm.ts b/src/dev/build/tasks/os_packages/run_fpm.ts index d7c0e5f9ac0e1..991ba45eb8baa 100644 --- a/src/dev/build/tasks/os_packages/run_fpm.ts +++ b/src/dev/build/tasks/os_packages/run_fpm.ts @@ -85,7 +85,7 @@ export async function runFpm( // tell fpm about the config file so that it is called out in the package definition '--config-files', - `/etc/kibana/kibana.yml`, + `/etc/kibana`, // define template values that will be injected into the install/uninstall // scripts, also causes scripts to be processed with erb diff --git a/src/dev/precommit_hook/casing_check_config.js b/src/dev/precommit_hook/casing_check_config.js index 9d074e5d98db0..b16dc39c4f50b 100644 --- a/src/dev/precommit_hook/casing_check_config.js +++ b/src/dev/precommit_hook/casing_check_config.js @@ -102,6 +102,7 @@ export const IGNORE_DIRECTORY_GLOBS = [ ...KEBAB_CASE_DIRECTORY_GLOBS, 'src/babel-*', 'packages/*', + 'packages/core/*/*', 'packages/kbn-pm/src/utils/__fixtures__/*', 'x-pack/dev-tools', 'packages/kbn-optimizer/src/__fixtures__/mock_repo/x-pack', diff --git a/src/dev/typescript/projects.ts b/src/dev/typescript/projects.ts index 848ca09a86671..82f7639d2b2ba 100644 --- a/src/dev/typescript/projects.ts +++ b/src/dev/typescript/projects.ts @@ -70,6 +70,11 @@ export const PROJECTS = [ disableTypeCheck: true, }), + createProject('x-pack/plugins/ux/e2e/tsconfig.json', { + name: 'ux/synthetics-e2e-tests', + disableTypeCheck: true, + }), + // Glob patterns to be all search at once ...findProjects([ 'src/plugins/*/tsconfig.json', diff --git a/src/plugins/chart_expressions/expression_xy/common/expression_functions/common_xy_args.ts b/src/plugins/chart_expressions/expression_xy/common/expression_functions/common_xy_args.ts index 0082bbefd0cb1..3c1d36c758f71 100644 --- a/src/plugins/chart_expressions/expression_xy/common/expression_functions/common_xy_args.ts +++ b/src/plugins/chart_expressions/expression_xy/common/expression_functions/common_xy_args.ts @@ -128,6 +128,10 @@ export const commonXYArgs: CommonXYFn['args'] = { types: ['string'], help: strings.getAriaLabelHelp(), }, + detailedTooltip: { + types: ['boolean'], + help: strings.getDetailedTooltipHelp(), + }, showTooltip: { types: ['boolean'], default: true, diff --git a/src/plugins/chart_expressions/expression_xy/common/i18n/index.tsx b/src/plugins/chart_expressions/expression_xy/common/i18n/index.tsx index e4232ff639e24..33750f627c206 100644 --- a/src/plugins/chart_expressions/expression_xy/common/i18n/index.tsx +++ b/src/plugins/chart_expressions/expression_xy/common/i18n/index.tsx @@ -121,6 +121,10 @@ export const strings = { i18n.translate('expressionXY.xyVis.ariaLabel.help', { defaultMessage: 'Specifies the aria label of the xy chart', }), + getDetailedTooltipHelp: () => + i18n.translate('expressionXY.xyVis.detailedTooltip.help', { + defaultMessage: 'Show detailed tooltip', + }), getShowTooltipHelp: () => i18n.translate('expressionXY.xyVis.showTooltip.help', { defaultMessage: 'Show tooltip', diff --git a/src/plugins/chart_expressions/expression_xy/common/types/expression_functions.ts b/src/plugins/chart_expressions/expression_xy/common/types/expression_functions.ts index 8b852fff257f9..6bd8eb5d37b7c 100644 --- a/src/plugins/chart_expressions/expression_xy/common/types/expression_functions.ts +++ b/src/plugins/chart_expressions/expression_xy/common/types/expression_functions.ts @@ -12,7 +12,8 @@ import type { PaletteOutput } from '@kbn/coloring'; import { Datatable, ExpressionFunctionDefinition } from '@kbn/expressions-plugin'; import { LegendSize } from '@kbn/visualizations-plugin/public'; import { EventAnnotationOutput } from '@kbn/event-annotation-plugin/common'; -import type { ExpressionValueVisDimension } from '@kbn/visualizations-plugin/common/expression_functions'; +import { ExpressionValueVisDimension } from '@kbn/visualizations-plugin/common'; + import { AxisExtentModes, FillStyles, @@ -220,6 +221,7 @@ export interface XYArgs extends DataLayerArgs { minTimeBarInterval?: string; splitRowAccessor?: ExpressionValueVisDimension | string; splitColumnAccessor?: ExpressionValueVisDimension | string; + detailedTooltip?: boolean; orderBucketsBySum?: boolean; showTooltip: boolean; } @@ -247,6 +249,7 @@ export interface LayeredXYArgs { hideEndzones?: boolean; valuesInLegend?: boolean; ariaLabel?: string; + detailedTooltip?: boolean; addTimeMarker?: boolean; markSizeRatio?: number; minTimeBarInterval?: string; @@ -282,6 +285,7 @@ export interface XYProps { minTimeBarInterval?: string; splitRowAccessor?: ExpressionValueVisDimension | string; splitColumnAccessor?: ExpressionValueVisDimension | string; + detailedTooltip?: boolean; orderBucketsBySum?: boolean; showTooltip: boolean; } diff --git a/src/plugins/chart_expressions/expression_xy/public/components/__snapshots__/xy_chart.test.tsx.snap b/src/plugins/chart_expressions/expression_xy/public/components/__snapshots__/xy_chart.test.tsx.snap index 103c39488da29..be930b69634df 100644 --- a/src/plugins/chart_expressions/expression_xy/public/components/__snapshots__/xy_chart.test.tsx.snap +++ b/src/plugins/chart_expressions/expression_xy/public/components/__snapshots__/xy_chart.test.tsx.snap @@ -330,6 +330,7 @@ exports[`XYChart component it renders area 1`] = ` tooltip={ Object { "boundary": undefined, + "customTooltip": undefined, "headerFormatter": [Function], "type": "vertical", } @@ -786,6 +787,24 @@ exports[`XYChart component it renders area 1`] = ` shouldShowValueLabels={true} syncColors={false} timeZone="UTC" + titles={ + Object { + "first": Object { + "splitColumnTitles": Object {}, + "splitRowTitles": Object {}, + "splitSeriesTitles": Object { + "d": "ColD", + }, + "xTitles": Object { + "c": "c", + }, + "yTitles": Object { + "a": "a", + "b": "b", + }, + }, + } + } valueLabels="hide" yAxesConfiguration={ Array [ @@ -882,6 +901,7 @@ exports[`XYChart component it renders bar 1`] = ` tooltip={ Object { "boundary": undefined, + "customTooltip": undefined, "headerFormatter": [Function], "type": "vertical", } @@ -1338,6 +1358,24 @@ exports[`XYChart component it renders bar 1`] = ` shouldShowValueLabels={true} syncColors={false} timeZone="UTC" + titles={ + Object { + "first": Object { + "splitColumnTitles": Object {}, + "splitRowTitles": Object {}, + "splitSeriesTitles": Object { + "d": "ColD", + }, + "xTitles": Object { + "c": "c", + }, + "yTitles": Object { + "a": "a", + "b": "b", + }, + }, + } + } valueLabels="hide" yAxesConfiguration={ Array [ @@ -1434,6 +1472,7 @@ exports[`XYChart component it renders horizontal bar 1`] = ` tooltip={ Object { "boundary": undefined, + "customTooltip": undefined, "headerFormatter": [Function], "type": "vertical", } @@ -1890,6 +1929,24 @@ exports[`XYChart component it renders horizontal bar 1`] = ` shouldShowValueLabels={true} syncColors={false} timeZone="UTC" + titles={ + Object { + "first": Object { + "splitColumnTitles": Object {}, + "splitRowTitles": Object {}, + "splitSeriesTitles": Object { + "d": "ColD", + }, + "xTitles": Object { + "c": "c", + }, + "yTitles": Object { + "a": "a", + "b": "b", + }, + }, + } + } valueLabels="hide" yAxesConfiguration={ Array [ @@ -1986,6 +2043,7 @@ exports[`XYChart component it renders line 1`] = ` tooltip={ Object { "boundary": undefined, + "customTooltip": undefined, "headerFormatter": [Function], "type": "vertical", } @@ -2442,6 +2500,24 @@ exports[`XYChart component it renders line 1`] = ` shouldShowValueLabels={true} syncColors={false} timeZone="UTC" + titles={ + Object { + "first": Object { + "splitColumnTitles": Object {}, + "splitRowTitles": Object {}, + "splitSeriesTitles": Object { + "d": "ColD", + }, + "xTitles": Object { + "c": "c", + }, + "yTitles": Object { + "a": "a", + "b": "b", + }, + }, + } + } valueLabels="hide" yAxesConfiguration={ Array [ @@ -2538,6 +2614,7 @@ exports[`XYChart component it renders stacked area 1`] = ` tooltip={ Object { "boundary": undefined, + "customTooltip": undefined, "headerFormatter": [Function], "type": "vertical", } @@ -2994,6 +3071,24 @@ exports[`XYChart component it renders stacked area 1`] = ` shouldShowValueLabels={false} syncColors={false} timeZone="UTC" + titles={ + Object { + "first": Object { + "splitColumnTitles": Object {}, + "splitRowTitles": Object {}, + "splitSeriesTitles": Object { + "d": "ColD", + }, + "xTitles": Object { + "c": "c", + }, + "yTitles": Object { + "a": "a", + "b": "b", + }, + }, + } + } valueLabels="hide" yAxesConfiguration={ Array [ @@ -3090,6 +3185,7 @@ exports[`XYChart component it renders stacked bar 1`] = ` tooltip={ Object { "boundary": undefined, + "customTooltip": undefined, "headerFormatter": [Function], "type": "vertical", } @@ -3546,6 +3642,24 @@ exports[`XYChart component it renders stacked bar 1`] = ` shouldShowValueLabels={false} syncColors={false} timeZone="UTC" + titles={ + Object { + "first": Object { + "splitColumnTitles": Object {}, + "splitRowTitles": Object {}, + "splitSeriesTitles": Object { + "d": "ColD", + }, + "xTitles": Object { + "c": "c", + }, + "yTitles": Object { + "a": "a", + "b": "b", + }, + }, + } + } valueLabels="hide" yAxesConfiguration={ Array [ @@ -3642,6 +3756,7 @@ exports[`XYChart component it renders stacked horizontal bar 1`] = ` tooltip={ Object { "boundary": undefined, + "customTooltip": undefined, "headerFormatter": [Function], "type": "vertical", } @@ -4098,6 +4213,24 @@ exports[`XYChart component it renders stacked horizontal bar 1`] = ` shouldShowValueLabels={false} syncColors={false} timeZone="UTC" + titles={ + Object { + "first": Object { + "splitColumnTitles": Object {}, + "splitRowTitles": Object {}, + "splitSeriesTitles": Object { + "d": "ColD", + }, + "xTitles": Object { + "c": "c", + }, + "yTitles": Object { + "a": "a", + "b": "b", + }, + }, + } + } valueLabels="hide" yAxesConfiguration={ Array [ @@ -4194,6 +4327,7 @@ exports[`XYChart component split chart should render split chart if both, splitR tooltip={ Object { "boundary": undefined, + "customTooltip": undefined, "headerFormatter": [Function], "type": "vertical", } @@ -4285,6 +4419,19 @@ exports[`XYChart component split chart should render split chart if both, splitR }, ] } + fieldFormats={ + Object { + "b": Object { + "id": "number", + "params": Object { + "pattern": "000,0", + }, + }, + "c": Object { + "id": "string", + }, + } + } formatFactory={ [MockFunction] { "calls": Array [ @@ -4905,6 +5052,28 @@ exports[`XYChart component split chart should render split chart if both, splitR shouldShowValueLabels={true} syncColors={false} timeZone="UTC" + titles={ + Object { + "first": Object { + "splitColumnTitles": Object { + "b": "b", + }, + "splitRowTitles": Object { + "c": "c", + }, + "splitSeriesTitles": Object { + "d": "ColD", + }, + "xTitles": Object { + "c": "c", + }, + "yTitles": Object { + "a": "a", + "b": "b", + }, + }, + } + } valueLabels="hide" yAxesConfiguration={ Array [ @@ -5001,6 +5170,7 @@ exports[`XYChart component split chart should render split chart if splitColumnA tooltip={ Object { "boundary": undefined, + "customTooltip": undefined, "headerFormatter": [Function], "type": "vertical", } @@ -5092,6 +5262,16 @@ exports[`XYChart component split chart should render split chart if splitColumnA }, ] } + fieldFormats={ + Object { + "b": Object { + "id": "number", + "params": Object { + "pattern": "000,0", + }, + }, + } + } formatFactory={ [MockFunction] { "calls": Array [ @@ -5711,6 +5891,26 @@ exports[`XYChart component split chart should render split chart if splitColumnA shouldShowValueLabels={true} syncColors={false} timeZone="UTC" + titles={ + Object { + "first": Object { + "splitColumnTitles": Object { + "b": "b", + }, + "splitRowTitles": Object {}, + "splitSeriesTitles": Object { + "d": "ColD", + }, + "xTitles": Object { + "c": "c", + }, + "yTitles": Object { + "a": "a", + "b": "b", + }, + }, + } + } valueLabels="hide" yAxesConfiguration={ Array [ @@ -5807,6 +6007,7 @@ exports[`XYChart component split chart should render split chart if splitRowAcce tooltip={ Object { "boundary": undefined, + "customTooltip": undefined, "headerFormatter": [Function], "type": "vertical", } @@ -5898,6 +6099,16 @@ exports[`XYChart component split chart should render split chart if splitRowAcce }, ] } + fieldFormats={ + Object { + "b": Object { + "id": "number", + "params": Object { + "pattern": "000,0", + }, + }, + } + } formatFactory={ [MockFunction] { "calls": Array [ @@ -6517,6 +6728,26 @@ exports[`XYChart component split chart should render split chart if splitRowAcce shouldShowValueLabels={true} syncColors={false} timeZone="UTC" + titles={ + Object { + "first": Object { + "splitColumnTitles": Object {}, + "splitRowTitles": Object { + "b": "b", + }, + "splitSeriesTitles": Object { + "d": "ColD", + }, + "xTitles": Object { + "c": "c", + }, + "yTitles": Object { + "a": "a", + "b": "b", + }, + }, + } + } valueLabels="hide" yAxesConfiguration={ Array [ diff --git a/src/plugins/chart_expressions/expression_xy/public/components/data_layers.tsx b/src/plugins/chart_expressions/expression_xy/public/components/data_layers.tsx index eb81ab434974d..b19cf515d43b8 100644 --- a/src/plugins/chart_expressions/expression_xy/public/components/data_layers.tsx +++ b/src/plugins/chart_expressions/expression_xy/public/components/data_layers.tsx @@ -32,9 +32,11 @@ import { GroupsConfiguration, getSeriesProps, DatatablesWithFormatInfo, + LayersAccessorsTitles, } from '../helpers'; interface Props { + titles?: LayersAccessorsTitles; layers: CommonXYDataLayerConfig[]; formatFactory: FormatFactory; chartHasMoreThanOneBarSeries?: boolean; @@ -54,6 +56,7 @@ interface Props { } export const DataLayers: FC = ({ + titles = {}, layers, endValue, timeZone, @@ -95,6 +98,7 @@ export const DataLayers: FC = ({ const seriesProps = getSeriesProps({ layer, + titles: titles[layer.layerId], accessor: yColumnId, chartHasMoreThanOneBarSeries, colorAssignments, diff --git a/src/plugins/chart_expressions/expression_xy/public/components/reference_lines/reference_line_layer.tsx b/src/plugins/chart_expressions/expression_xy/public/components/reference_lines/reference_line_layer.tsx index 210f5bda0126b..73aa3a3d8ba4f 100644 --- a/src/plugins/chart_expressions/expression_xy/public/components/reference_lines/reference_line_layer.tsx +++ b/src/plugins/chart_expressions/expression_xy/public/components/reference_lines/reference_line_layer.tsx @@ -13,6 +13,7 @@ import { Position } from '@elastic/charts'; import { ReferenceLineLayerConfig } from '../../../common/types'; import { getGroupId } from './utils'; import { ReferenceLineAnnotations } from './reference_line_annotations'; +import { LayerAccessorsTitles } from '../../helpers'; interface ReferenceLineLayerProps { layer: ReferenceLineLayerConfig; @@ -20,6 +21,7 @@ interface ReferenceLineLayerProps { paddingMap: Partial>; axesMap: Record<'left' | 'right', boolean>; isHorizontal: boolean; + titles?: LayerAccessorsTitles; } export const ReferenceLineLayer: FC = ({ @@ -28,6 +30,7 @@ export const ReferenceLineLayer: FC = ({ paddingMap, axesMap, isHorizontal, + titles, }) => { if (!layer.yConfig) { return null; @@ -54,7 +57,7 @@ export const ReferenceLineLayer: FC = ({ const groupId = getGroupId(axisMode); const formatter = formatters[groupId || 'bottom']; - const name = columnToLabelMap[yConfig.forAccessor]; + const name = columnToLabelMap[yConfig.forAccessor] ?? titles?.yTitles?.[yConfig.forAccessor]; const value = row[yConfig.forAccessor]; const yConfigsWithSameDirection = groupedByDirection[yConfig.fill!]; const indexFromSameType = yConfigsWithSameDirection.findIndex( diff --git a/src/plugins/chart_expressions/expression_xy/public/components/reference_lines/reference_lines.tsx b/src/plugins/chart_expressions/expression_xy/public/components/reference_lines/reference_lines.tsx index 5d48c3c05166d..a95d1942e4659 100644 --- a/src/plugins/chart_expressions/expression_xy/public/components/reference_lines/reference_lines.tsx +++ b/src/plugins/chart_expressions/expression_xy/public/components/reference_lines/reference_lines.tsx @@ -12,7 +12,7 @@ import React from 'react'; import { Position } from '@elastic/charts'; import type { FieldFormat } from '@kbn/field-formats-plugin/common'; import type { CommonXYReferenceLineLayerConfig, ReferenceLineConfig } from '../../../common/types'; -import { isReferenceLine } from '../../helpers'; +import { isReferenceLine, LayersAccessorsTitles } from '../../helpers'; import { ReferenceLineLayer } from './reference_line_layer'; import { ReferenceLine } from './reference_line'; import { getNextValuesForReferenceLines } from './utils'; @@ -23,9 +23,10 @@ export interface ReferenceLinesProps { axesMap: Record<'left' | 'right', boolean>; isHorizontal: boolean; paddingMap: Partial>; + titles?: LayersAccessorsTitles; } -export const ReferenceLines = ({ layers, ...rest }: ReferenceLinesProps) => { +export const ReferenceLines = ({ layers, titles = {}, ...rest }: ReferenceLinesProps) => { const referenceLines = layers.filter((layer): layer is ReferenceLineConfig => isReferenceLine(layer) ); @@ -45,7 +46,8 @@ export const ReferenceLines = ({ layers, ...rest }: ReferenceLinesProps) => { return ; } - return ; + const layerTitles = titles[layer.layerId]; + return ; })} ); diff --git a/src/plugins/chart_expressions/expression_xy/public/components/split_chart.tsx b/src/plugins/chart_expressions/expression_xy/public/components/split_chart.tsx index f0b2f7f66a00c..3f7d59e0473d5 100644 --- a/src/plugins/chart_expressions/expression_xy/public/components/split_chart.tsx +++ b/src/plugins/chart_expressions/expression_xy/public/components/split_chart.tsx @@ -9,8 +9,12 @@ import React, { useCallback } from 'react'; import { GroupBy, SmallMultiples, Predicate } from '@elastic/charts'; import { ExpressionValueVisDimension } from '@kbn/visualizations-plugin/common'; -import { getColumnByAccessor, getFormatByAccessor } from '@kbn/visualizations-plugin/common/utils'; +import { + getAccessorByDimension, + getColumnByAccessor, +} from '@kbn/visualizations-plugin/common/utils'; import { Datatable } from '@kbn/expressions-plugin/public'; +import { SerializedFieldFormat } from '@kbn/field-formats-plugin/common'; import { FormatFactory } from '../types'; interface SplitChartProps { @@ -18,6 +22,7 @@ interface SplitChartProps { splitRowAccessor?: ExpressionValueVisDimension | string; columns: Datatable['columns']; formatFactory: FormatFactory; + fieldFormats: Record; } const SPLIT_COLUMN = '__split_column__'; @@ -27,15 +32,16 @@ export const SplitChart = ({ splitColumnAccessor, splitRowAccessor, columns, + fieldFormats, formatFactory, }: SplitChartProps) => { const format = useCallback( (value: unknown, accessor: ExpressionValueVisDimension | string) => { - const formatParams = getFormatByAccessor(accessor, columns); - const formatter = formatParams ? formatFactory(formatParams) : formatFactory(); + const formatParams = fieldFormats[getAccessorByDimension(accessor, columns)]; + const formatter = formatFactory(formatParams); return formatter.convert(value); }, - [columns, formatFactory] + [columns, formatFactory, fieldFormats] ); const getData = useCallback( diff --git a/src/plugins/chart_expressions/expression_xy/public/components/tooltip/__snapshots__/endzone_tooltip_header.test.tsx.snap b/src/plugins/chart_expressions/expression_xy/public/components/tooltip/__snapshots__/endzone_tooltip_header.test.tsx.snap new file mode 100644 index 0000000000000..b0bf86d8aecb8 --- /dev/null +++ b/src/plugins/chart_expressions/expression_xy/public/components/tooltip/__snapshots__/endzone_tooltip_header.test.tsx.snap @@ -0,0 +1,51 @@ +// Jest Snapshot v1, https://goo.gl/fbAQLP + +exports[`EndzoneTooltipHeader should render endzone tooltip with value, if it is specified 1`] = ` + + + + + + + The selected time range does not include this entire bucket. It might contain partial data. + + + +

+ some value +

+ +`; + +exports[`EndzoneTooltipHeader should render endzone tooltip without value, if it is not specified 1`] = ` + + + + + + + The selected time range does not include this entire bucket. It might contain partial data. + + + +`; diff --git a/src/plugins/chart_expressions/expression_xy/public/components/tooltip/__snapshots__/tooltip.test.tsx.snap b/src/plugins/chart_expressions/expression_xy/public/components/tooltip/__snapshots__/tooltip.test.tsx.snap new file mode 100644 index 0000000000000..034108bf7d345 --- /dev/null +++ b/src/plugins/chart_expressions/expression_xy/public/components/tooltip/__snapshots__/tooltip.test.tsx.snap @@ -0,0 +1,341 @@ +// Jest Snapshot v1, https://goo.gl/fbAQLP + +exports[`Tooltip should render plain tooltip 1`] = ` +
+ + + + + + + + +
+
+`; + +exports[`Tooltip should render tooltip with partial buckets 1`] = ` +
+
+ +
+ + + + + + + + +
+
+`; + +exports[`Tooltip should render tooltip with partial buckets 2`] = ` +
+
+ +
+ + + + + + + + +
+
+`; + +exports[`Tooltip should render tooltip with xDomain 1`] = ` +
+ + + + + + + + +
+
+`; + +exports[`Tooltip should render tooltip without split-column-values 1`] = ` +
+ + + + + + + +
+
+`; + +exports[`Tooltip should render tooltip without split-row-values 1`] = ` +
+ + + + + + + +
+
+`; + +exports[`Tooltip should render tooltip without splitAccessors-values 1`] = ` +
+ + + + + + + +
+
+`; + +exports[`Tooltip should render tooltip without x-value 1`] = ` +
+ + + + + + + +
+
+`; + +exports[`Tooltip should render tooltip without x-value 2`] = ` +
+ + + + + + + +
+
+`; + +exports[`Tooltip should render tooltip without y-value 1`] = ` +
+ + + + + + + +
+
+`; diff --git a/src/plugins/chart_expressions/expression_xy/public/components/tooltip/__snapshots__/tooltip_header.test.tsx.snap b/src/plugins/chart_expressions/expression_xy/public/components/tooltip/__snapshots__/tooltip_header.test.tsx.snap new file mode 100644 index 0000000000000..16fcab2bfac7e --- /dev/null +++ b/src/plugins/chart_expressions/expression_xy/public/components/tooltip/__snapshots__/tooltip_header.test.tsx.snap @@ -0,0 +1,7 @@ +// Jest Snapshot v1, https://goo.gl/fbAQLP + +exports[`TooltipHeader should render plain value at the header 1`] = ` + + formatted-15 + +`; diff --git a/src/plugins/chart_expressions/expression_xy/public/components/tooltip/__snapshots__/tooltip_row.test.tsx.snap b/src/plugins/chart_expressions/expression_xy/public/components/tooltip/__snapshots__/tooltip_row.test.tsx.snap new file mode 100644 index 0000000000000..01fed10a23fcd --- /dev/null +++ b/src/plugins/chart_expressions/expression_xy/public/components/tooltip/__snapshots__/tooltip_row.test.tsx.snap @@ -0,0 +1,24 @@ +// Jest Snapshot v1, https://goo.gl/fbAQLP + +exports[`TooltipRow should render label and value if both are specified 1`] = ` + + +
+ tooltip +
+ + +
+ 0 +
+ + +`; diff --git a/src/plugins/chart_expressions/expression_xy/public/components/tooltip/endzone_tooltip_header.test.tsx b/src/plugins/chart_expressions/expression_xy/public/components/tooltip/endzone_tooltip_header.test.tsx new file mode 100644 index 0000000000000..d1e8c6b8bb301 --- /dev/null +++ b/src/plugins/chart_expressions/expression_xy/public/components/tooltip/endzone_tooltip_header.test.tsx @@ -0,0 +1,23 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { shallow } from 'enzyme'; +import React from 'react'; +import { EndzoneTooltipHeader } from './endzone_tooltip_header'; + +describe('EndzoneTooltipHeader', () => { + it('should render endzone tooltip with value, if it is specified', () => { + const endzoneTooltip = shallow(); + expect(endzoneTooltip).toMatchSnapshot(); + }); + + it('should render endzone tooltip without value, if it is not specified', () => { + const endzoneTooltip = shallow(); + expect(endzoneTooltip).toMatchSnapshot(); + }); +}); diff --git a/src/plugins/chart_expressions/expression_xy/public/components/tooltip/endzone_tooltip_header.tsx b/src/plugins/chart_expressions/expression_xy/public/components/tooltip/endzone_tooltip_header.tsx new file mode 100644 index 0000000000000..8a956cb69cab4 --- /dev/null +++ b/src/plugins/chart_expressions/expression_xy/public/components/tooltip/endzone_tooltip_header.tsx @@ -0,0 +1,42 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import React, { FC } from 'react'; +import { EuiFlexGroup, EuiFlexItem, EuiIcon, EuiSpacer } from '@elastic/eui'; +import { i18n } from '@kbn/i18n'; + +export interface EndzoneTooltipHeaderProps { + value?: string; +} + +export const EndzoneTooltipHeader: FC = ({ value }) => ( + <> + + + + + + {i18n.translate('expressionXY.partialData.bucketTooltipText', { + defaultMessage: + 'The selected time range does not include this entire bucket. It might contain partial data.', + })} + + + {value !== undefined && ( + <> + +

{value}

+ + )} + +); diff --git a/src/plugins/chart_expressions/expression_xy/public/components/tooltip/index.tsx b/src/plugins/chart_expressions/expression_xy/public/components/tooltip/index.tsx new file mode 100644 index 0000000000000..f6b099771f6e9 --- /dev/null +++ b/src/plugins/chart_expressions/expression_xy/public/components/tooltip/index.tsx @@ -0,0 +1,11 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +export { Tooltip } from './tooltip'; +export { TooltipHeader } from './tooltip_header'; +export { EndzoneTooltipHeader } from './endzone_tooltip_header'; diff --git a/src/plugins/chart_expressions/expression_xy/public/components/tooltip/tooltip.scss b/src/plugins/chart_expressions/expression_xy/public/components/tooltip/tooltip.scss new file mode 100644 index 0000000000000..0fa98d5e5db82 --- /dev/null +++ b/src/plugins/chart_expressions/expression_xy/public/components/tooltip/tooltip.scss @@ -0,0 +1,39 @@ +.detailedTooltip { + @include euiToolTipStyle('s'); + pointer-events: none; + max-width: $euiSizeXL * 10; + overflow: hidden; + padding: $euiSizeS; + + table { + td, + th { + text-align: left; + padding: $euiSizeXS; + overflow-wrap: break-word; + word-wrap: break-word; + } + } +} + +.detailedTooltip__header { + > :last-child { + margin-bottom: $euiSizeS; + } +} + +.detailedTooltip__labelContainer, +.detailedTooltip__valueContainer { + overflow-wrap: break-word; + word-wrap: break-word; +} + +.detailedTooltip__label { + font-weight: $euiFontWeightMedium; + color: shade($euiColorGhost, 20%); +} + +.detailedTooltip__header--partial { + font-weight: $euiFontWeightRegular; + min-width: $euiSize * 12; +} diff --git a/src/plugins/chart_expressions/expression_xy/public/components/tooltip/tooltip.test.tsx b/src/plugins/chart_expressions/expression_xy/public/components/tooltip/tooltip.test.tsx new file mode 100644 index 0000000000000..3b39397558750 --- /dev/null +++ b/src/plugins/chart_expressions/expression_xy/public/components/tooltip/tooltip.test.tsx @@ -0,0 +1,321 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import React from 'react'; +import { shallow } from 'enzyme'; +import { Tooltip } from './tooltip'; +import { generateSeriesId, LayersAccessorsTitles, LayersFieldFormats } from '../../helpers'; +import { XYChartSeriesIdentifier } from '@elastic/charts'; +import { sampleArgs, sampleLayer } from '../../../common/__mocks__'; +import { FieldFormat, FormatFactory } from '@kbn/field-formats-plugin/common'; + +const getSeriesIdentifier = ({ + layerId, + xAccessor, + yAccessor, + splitAccessor, + splitRowAccessor, + splitColumnAccessor, + splitAccessors, +}: { + layerId: string; + xAccessor?: string; + yAccessor?: string; + splitRowAccessor?: string; + splitAccessor?: string; + splitColumnAccessor?: string; + splitAccessors: Map; +}): XYChartSeriesIdentifier => ({ + specId: generateSeriesId({ layerId, xAccessor, splitAccessor }, yAccessor), + yAccessor: yAccessor ?? 'a', + splitAccessors, + seriesKeys: [], + key: '1', + smVerticalAccessorValue: splitColumnAccessor, + smHorizontalAccessorValue: splitRowAccessor, +}); + +describe('Tooltip', () => { + const { data } = sampleArgs(); + const { layerId, xAccessor, splitAccessor, accessors } = sampleLayer; + const splitAccessors = new Map(); + splitAccessors.set(splitAccessor, '10'); + + const accessor = accessors[0] as string; + const splitRowAccessor = 'd'; + const splitColumnAccessor = 'd'; + + const seriesIdentifier = getSeriesIdentifier({ + layerId, + yAccessor: accessor, + xAccessor: xAccessor as string, + splitAccessor: splitAccessor as string, + splitAccessors, + splitRowAccessor, + splitColumnAccessor, + }); + + const header = { + value: 'some value', + label: 'some label', + formattedValue: 'formatted value', + color: '#fff', + isHighlighted: true, + isVisible: true, + seriesIdentifier, + }; + + const titles: LayersAccessorsTitles = { + [layerId]: { + xTitles: { [xAccessor as string]: 'x-title' }, + yTitles: { [accessor]: 'y-title' }, + splitSeriesTitles: { [splitAccessor as string]: 'split-series-title' }, + splitRowTitles: { [splitRowAccessor]: 'split-row-title' }, + splitColumnTitles: { [splitColumnAccessor]: 'split-column-title' }, + }, + }; + + const fieldFormats: LayersFieldFormats = { + [layerId]: { + xAccessors: { [xAccessor as string]: { id: 'number' } }, + yAccessors: { [accessor]: { id: 'string' } }, + splitSeriesAccessors: { [splitAccessor as string]: { id: 'date' } }, + splitRowAccessors: { [splitRowAccessor]: { id: 'number' } }, + splitColumnAccessors: { [splitColumnAccessor]: { id: 'number' } }, + }, + }; + + const formatFactory: FormatFactory = (format) => + ({ + convert: (value) => `formatted-${format?.id}-${value}`, + } as FieldFormat); + + it('should render plain tooltip', () => { + const tooltip = shallow( + + ); + + expect(tooltip).toMatchSnapshot(); + }); + + it('should render tooltip with xDomain', () => { + const headerWithValue = { ...header, value: 10 }; + const xDomain = { min: 0, max: 1000 }; + + const tooltip = shallow( + + ); + + expect(tooltip).toMatchSnapshot(); + }); + + it('should render tooltip with partial buckets', () => { + const headerWithValue = { ...header, value: 10 }; + const xDomain = { min: 15, max: 1000 }; + + const tooltip = shallow( + + ); + + expect(tooltip).toMatchSnapshot(); + + const xDomain2 = { min: 5, max: 1000, minInterval: 995 }; + + const tooltip2 = shallow( + + ); + + expect(tooltip2).toMatchSnapshot(); + }); + + it('should render tooltip without x-value', () => { + const value = { ...header, value: 10 }; + + const tooltip = shallow( + + ); + + expect(tooltip).toMatchSnapshot(); + + const seriesIdentifierWithoutX = getSeriesIdentifier({ + layerId, + yAccessor: accessor, + splitAccessor: splitAccessor as string, + splitAccessors, + splitRowAccessor, + splitColumnAccessor, + }); + + const value2 = { ...header, value: 10, seriesIdentifier: seriesIdentifierWithoutX }; + + const tooltip2 = shallow( + + ); + + expect(tooltip2).toMatchSnapshot(); + }); + + it('should render tooltip without y-value', () => { + const seriesIdentifierWithoutY = getSeriesIdentifier({ + layerId, + xAccessor: xAccessor as string, + splitAccessor: splitAccessor as string, + splitAccessors, + splitRowAccessor, + splitColumnAccessor, + }); + + const value = { ...header, value: 10, seriesIdentifier: seriesIdentifierWithoutY }; + + const tooltip = shallow( + + ); + + expect(tooltip).toMatchSnapshot(); + }); + + it('should render tooltip without splitAccessors-values', () => { + const seriesIdentifierWithoutSplitAccessors = getSeriesIdentifier({ + layerId, + xAccessor: xAccessor as string, + yAccessor: accessor, + splitAccessors: new Map(), + splitRowAccessor, + splitColumnAccessor, + }); + + const value = { ...header, value: 10, seriesIdentifier: seriesIdentifierWithoutSplitAccessors }; + + const tooltip = shallow( + + ); + + expect(tooltip).toMatchSnapshot(); + }); + + it('should render tooltip without split-row-values', () => { + const seriesIdentifierWithoutSplitRow = getSeriesIdentifier({ + layerId, + xAccessor: xAccessor as string, + yAccessor: accessor, + splitAccessor: splitAccessor as string, + splitAccessors, + splitColumnAccessor, + }); + + const value = { ...header, value: 10, seriesIdentifier: seriesIdentifierWithoutSplitRow }; + + const tooltip = shallow( + + ); + + expect(tooltip).toMatchSnapshot(); + }); + + it('should render tooltip without split-column-values', () => { + const seriesIdentifierWithoutSplitColumn = getSeriesIdentifier({ + layerId, + xAccessor: xAccessor as string, + yAccessor: accessor, + splitAccessor: splitAccessor as string, + splitAccessors, + splitRowAccessor, + }); + + const value = { ...header, value: 10, seriesIdentifier: seriesIdentifierWithoutSplitColumn }; + + const tooltip = shallow( + + ); + + expect(tooltip).toMatchSnapshot(); + }); +}); diff --git a/src/plugins/chart_expressions/expression_xy/public/components/tooltip/tooltip.tsx b/src/plugins/chart_expressions/expression_xy/public/components/tooltip/tooltip.tsx new file mode 100644 index 0000000000000..6c7a3e586e8e6 --- /dev/null +++ b/src/plugins/chart_expressions/expression_xy/public/components/tooltip/tooltip.tsx @@ -0,0 +1,126 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { TooltipInfo, XYChartSeriesIdentifier } from '@elastic/charts'; +import { FormatFactory } from '@kbn/field-formats-plugin/common'; +import React, { FC } from 'react'; +import { + DatatablesWithFormatInfo, + getMetaFromSeriesId, + LayersAccessorsTitles, + LayersFieldFormats, +} from '../../helpers'; +import { XDomain } from '../x_domain'; +import { EndzoneTooltipHeader } from './endzone_tooltip_header'; +import { TooltipData, TooltipRow } from './tooltip_row'; +import { isEndzoneBucket } from './utils'; + +import './tooltip.scss'; + +type Props = TooltipInfo & { + xDomain?: XDomain; + fieldFormats: LayersFieldFormats; + titles?: LayersAccessorsTitles; + formatFactory: FormatFactory; + formattedDatatables: DatatablesWithFormatInfo; + splitAccessors?: { + splitRowAccessor?: string; + splitColumnAccessor?: string; + }; +}; + +export const Tooltip: FC = ({ + header, + values, + fieldFormats, + titles = {}, + formatFactory, + formattedDatatables, + splitAccessors, + xDomain, +}) => { + const pickedValue = values.find(({ isHighlighted }) => isHighlighted); + + if (!pickedValue) { + return null; + } + + const data: TooltipData[] = []; + const seriesIdentifier = pickedValue.seriesIdentifier as XYChartSeriesIdentifier; + const { layerId, xAccessor, yAccessor } = getMetaFromSeriesId(seriesIdentifier.specId); + const { formattedColumns } = formattedDatatables[layerId]; + const layerTitles = titles[layerId]; + const layerFormats = fieldFormats[layerId]; + let headerFormatter; + if (header && xAccessor) { + headerFormatter = formattedColumns[xAccessor] + ? null + : formatFactory(layerFormats.xAccessors[xAccessor]); + data.push({ + label: layerTitles?.xTitles?.[xAccessor], + value: headerFormatter ? headerFormatter.convert(header.value) : `${header.value}`, + }); + } + + const tooltipYAccessor = yAccessor === seriesIdentifier.yAccessor ? yAccessor : null; + if (tooltipYAccessor) { + const yFormatter = formatFactory(layerFormats.yAccessors[tooltipYAccessor]); + data.push({ + label: layerTitles?.yTitles?.[tooltipYAccessor], + value: yFormatter ? yFormatter.convert(pickedValue.value) : `${pickedValue.value}`, + }); + } + seriesIdentifier.splitAccessors.forEach((splitValue, key) => { + const splitSeriesFormatter = formattedColumns[key] + ? null + : formatFactory(layerFormats.splitSeriesAccessors[key]); + + const label = layerTitles?.splitSeriesTitles?.[key]; + const value = splitSeriesFormatter ? splitSeriesFormatter.convert(splitValue) : `${splitValue}`; + data.push({ label, value }); + }); + + if ( + splitAccessors?.splitColumnAccessor && + seriesIdentifier.smVerticalAccessorValue !== undefined + ) { + data.push({ + label: layerTitles?.splitColumnTitles?.[splitAccessors?.splitColumnAccessor], + value: `${seriesIdentifier.smVerticalAccessorValue}`, + }); + } + + if ( + splitAccessors?.splitRowAccessor && + seriesIdentifier.smHorizontalAccessorValue !== undefined + ) { + data.push({ + label: layerTitles?.splitRowTitles?.[splitAccessors?.splitRowAccessor], + value: `${seriesIdentifier.smHorizontalAccessorValue}`, + }); + } + + const tooltipRows = data.map((tooltipRow, index) => ( + + )); + + const renderEndzoneTooltip = header ? isEndzoneBucket(header?.value, xDomain) : false; + + return ( +
+ {renderEndzoneTooltip && ( +
+ +
+ )} + + {tooltipRows} +
+
+ ); +}; diff --git a/src/plugins/chart_expressions/expression_xy/public/components/tooltip/tooltip_header.test.tsx b/src/plugins/chart_expressions/expression_xy/public/components/tooltip/tooltip_header.test.tsx new file mode 100644 index 0000000000000..8e0b1cfeb77ff --- /dev/null +++ b/src/plugins/chart_expressions/expression_xy/public/components/tooltip/tooltip_header.test.tsx @@ -0,0 +1,51 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { shallow } from 'enzyme'; +import React from 'react'; +import { TooltipHeader } from './tooltip_header'; +import { EndzoneTooltipHeader } from './endzone_tooltip_header'; + +describe('TooltipHeader', () => { + const formatter = (value: unknown) => `formatted-${value}`; + + const xDomain = { min: 10, max: 100 }; + + it('should handle endzone bucket', () => { + const value = 1; + const expectedValue = formatter(value); + const tooltipHeader = shallow( + + ); + + const endzoneTooltip = tooltipHeader.find(EndzoneTooltipHeader); + expect(endzoneTooltip.exists()).toBeTruthy(); + expect(endzoneTooltip.prop('value')).toEqual(expectedValue); + + const minInterval = 99.5; + const newValue = 11; + const newExpectedValue = formatter(newValue); + + const tooltipHeaderWithMinInterval = shallow( + + ); + + const endzoneTooltipWithMinInterval = tooltipHeaderWithMinInterval.find(EndzoneTooltipHeader); + expect(endzoneTooltipWithMinInterval.exists()).toBeTruthy(); + expect(endzoneTooltipWithMinInterval.prop('value')).toEqual(newExpectedValue); + }); + + it('should render plain value at the header', () => { + const value = 15; + const tooltipHeader = shallow( + + ); + + expect(tooltipHeader).toMatchSnapshot(); + }); +}); diff --git a/src/plugins/chart_expressions/expression_xy/public/components/tooltip/tooltip_header.tsx b/src/plugins/chart_expressions/expression_xy/public/components/tooltip/tooltip_header.tsx new file mode 100644 index 0000000000000..0ac9de2ef99fd --- /dev/null +++ b/src/plugins/chart_expressions/expression_xy/public/components/tooltip/tooltip_header.tsx @@ -0,0 +1,29 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import React, { FC } from 'react'; +import { XDomain } from '../x_domain'; +import { EndzoneTooltipHeader } from './endzone_tooltip_header'; +import { isEndzoneBucket } from './utils'; + +interface Props { + value: unknown; + formatter: (value: unknown) => string; + xDomain?: XDomain; +} + +export const TooltipHeader: FC = ({ value, formatter, xDomain }) => { + const renderEndzoneHeader = + xDomain && typeof value === 'number' ? isEndzoneBucket(value, xDomain) : undefined; + + if (renderEndzoneHeader) { + return ; + } + + return <>{formatter(value)}; +}; diff --git a/src/plugins/chart_expressions/expression_xy/public/components/tooltip/tooltip_row.test.tsx b/src/plugins/chart_expressions/expression_xy/public/components/tooltip/tooltip_row.test.tsx new file mode 100644 index 0000000000000..70b6db53744bb --- /dev/null +++ b/src/plugins/chart_expressions/expression_xy/public/components/tooltip/tooltip_row.test.tsx @@ -0,0 +1,29 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { shallow } from 'enzyme'; +import React from 'react'; +import { TooltipRow } from './tooltip_row'; + +describe('TooltipRow', () => { + it('should render label and value if both are specified', () => { + const tooltipRow = shallow(); + expect(tooltipRow).toMatchSnapshot(); + }); + + it('should return null if either label or value is not specified', () => { + const tooltipRow1 = shallow(); + expect(tooltipRow1).toEqual({}); + + const tooltipRow2 = shallow(); + expect(tooltipRow2).toEqual({}); + + const tooltipRow3 = shallow(); + expect(tooltipRow3).toEqual({}); + }); +}); diff --git a/src/plugins/chart_expressions/expression_xy/public/components/tooltip/tooltip_row.tsx b/src/plugins/chart_expressions/expression_xy/public/components/tooltip/tooltip_row.tsx new file mode 100644 index 0000000000000..444a3bc046f62 --- /dev/null +++ b/src/plugins/chart_expressions/expression_xy/public/components/tooltip/tooltip_row.tsx @@ -0,0 +1,27 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ +import React, { FC } from 'react'; + +export interface TooltipData { + label?: string; + value?: string; +} + +export const TooltipRow: FC = ({ label, value }) => { + return label && value ? ( + + +
{label}
+ + + +
{value}
+ + + ) : null; +}; diff --git a/src/plugins/chart_expressions/expression_xy/public/components/tooltip/utils.ts b/src/plugins/chart_expressions/expression_xy/public/components/tooltip/utils.ts new file mode 100644 index 0000000000000..245fc8b2a4372 --- /dev/null +++ b/src/plugins/chart_expressions/expression_xy/public/components/tooltip/utils.ts @@ -0,0 +1,19 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { XDomain } from '../x_domain'; + +export const isEndzoneBucket = ( + value: number, + { min, max, minInterval }: XDomain | undefined = {} +) => { + return ( + (min !== undefined && min > value) || + (max !== undefined && minInterval !== undefined && max - minInterval < value) + ); +}; diff --git a/src/plugins/chart_expressions/expression_xy/public/components/xy_chart.test.tsx b/src/plugins/chart_expressions/expression_xy/public/components/xy_chart.test.tsx index f847c78646ac2..a6c832045543f 100644 --- a/src/plugins/chart_expressions/expression_xy/public/components/xy_chart.test.tsx +++ b/src/plugins/chart_expressions/expression_xy/public/components/xy_chart.test.tsx @@ -1809,8 +1809,7 @@ describe('XYChart component', () => { .find(LineSeries) .prop('name') as SeriesNameFn; - // In this case, the ID is used as the name. This shouldn't happen in practice - expect(nameFn({ ...nameFnArgs, seriesKeys: ['a'] }, false)).toEqual(null); + expect(nameFn({ ...nameFnArgs, seriesKeys: ['a'] }, false)).toEqual('a'); expect(nameFn({ ...nameFnArgs, seriesKeys: ['nonsense'] }, false)).toEqual(null); }); @@ -1890,7 +1889,7 @@ describe('XYChart component', () => { // This accessor has a human-readable name expect(nameFn1({ ...nameFnArgs, seriesKeys: ['a'] }, false)).toEqual('Label A'); // This accessor does not - expect(nameFn2({ ...nameFnArgs, seriesKeys: ['b'] }, false)).toEqual(null); + expect(nameFn2({ ...nameFnArgs, seriesKeys: ['b'] }, false)).toEqual('b'); expect(nameFn1({ ...nameFnArgs, seriesKeys: ['nonsense'] }, false)).toEqual(null); }); @@ -2953,4 +2952,50 @@ describe('XYChart component', () => { expect(smallMultiples.prop('splitHorizontally')).toEqual(SPLIT_ROW); }); }); + + describe('detailed tooltip', () => { + it('should render custom detailed tooltip', () => { + const { args } = sampleArgs(); + const component = shallow( + + ); + const settings = component.find(Settings); + const tooltip = settings.prop('tooltip'); + expect(tooltip).toEqual( + expect.objectContaining({ + headerFormatter: undefined, + customTooltip: expect.any(Function), + }) + ); + }); + + it('should render default tooltip, if detailed tooltip is hidden', () => { + const { args } = sampleArgs(); + const component = shallow( + + ); + const settings = component.find(Settings); + const tooltip = settings.prop('tooltip'); + expect(tooltip).toEqual( + expect.objectContaining({ + headerFormatter: expect.any(Function), + customTooltip: undefined, + }) + ); + }); + }); }); diff --git a/src/plugins/chart_expressions/expression_xy/public/components/xy_chart.tsx b/src/plugins/chart_expressions/expression_xy/public/components/xy_chart.tsx index 64433e8ceb7b1..e01086428f393 100644 --- a/src/plugins/chart_expressions/expression_xy/public/components/xy_chart.tsx +++ b/src/plugins/chart_expressions/expression_xy/public/components/xy_chart.tsx @@ -57,12 +57,10 @@ import { getAnnotationsLayers, getDataLayers, Series, - getFormat, - isReferenceLineYConfig, getFormattedTablesByLayers, -} from '../helpers'; - -import { + getLayersFormats, + getLayersTitles, + isReferenceLineYConfig, getFilteredLayers, getReferenceLayers, isDataLayer, @@ -86,9 +84,11 @@ import { } from './annotations'; import { AxisExtentModes, SeriesTypes, ValueLabelModes, XScaleTypes } from '../../common/constants'; import { DataLayers } from './data_layers'; +import { Tooltip } from './tooltip'; import { XYCurrentTime } from './xy_current_time'; import './xy_chart.scss'; +import { TooltipHeader } from './tooltip'; declare global { interface Window { @@ -195,6 +195,11 @@ export function XYChart({ [dataLayers, formatFactory] ); + const fieldFormats = useMemo( + () => getLayersFormats(dataLayers, { splitColumnAccessor, splitRowAccessor }), + [dataLayers, splitColumnAccessor, splitRowAccessor] + ); + if (dataLayers.length === 0) { const icon: IconType = getIconForSeriesType( getDataLayers(layers)?.[0]?.seriesType || SeriesTypes.BAR @@ -208,9 +213,7 @@ export function XYChart({ : undefined; const xAxisFormatter = formatFactory( - dataLayers[0].xAccessor - ? getFormat(dataLayers[0].table.columns, dataLayers[0].xAccessor) - : undefined + xAxisColumn?.id ? fieldFormats[dataLayers[0].layerId].xAccessors[xAxisColumn?.id] : undefined ); // This is a safe formatter for the xAccessor that abstracts the knowledge of already formatted layers @@ -229,11 +232,24 @@ export function XYChart({ dataLayers, shouldRotate, formatFactory, + fieldFormats, yLeftScale, yRightScale ); const xTitle = args.xTitle || (xAxisColumn && xAxisColumn.name); + const yAxesMap = { + left: yAxesConfiguration.find(({ groupId }) => groupId === 'left'), + right: yAxesConfiguration.find(({ groupId }) => groupId === 'right'), + }; + + const titles = getLayersTitles( + dataLayers, + { splitColumnAccessor, splitRowAccessor }, + { xTitle: args.xTitle, yTitle: args.yTitle, yRightTitle: args.yRightTitle }, + yAxesConfiguration + ); + const axisTitlesVisibilitySettings = args.axisTitlesVisibilitySettings || { x: true, yLeft: true, @@ -267,24 +283,10 @@ export function XYChart({ isHistogramViz ); - const yAxesMap = { - left: yAxesConfiguration.find(({ groupId }) => groupId === 'left'), - right: yAxesConfiguration.find(({ groupId }) => groupId === 'right'), - }; - - const getYAxesTitles = (axisSeries: Series[], groupId: 'right' | 'left') => { - const yTitle = groupId === 'right' ? args.yRightTitle : args.yTitle; - return ( - yTitle || - axisSeries - .map( - (series) => - filteredLayers - .find(({ layerId }) => series.layer === layerId) - ?.table.columns.find((column) => column.id === series.accessor)?.name - ) - .filter((name) => Boolean(name))[0] - ); + const getYAxesTitles = (axisSeries: Series[]) => { + return axisSeries + .map(({ layer, accessor }) => titles?.[layer]?.yTitles?.[accessor]) + .filter((name) => Boolean(name))[0]; }; const referenceLineLayers = getReferenceLayers(layers); @@ -428,9 +430,11 @@ export function XYChart({ const xAccessor = layer.xAccessor ? getAccessorByDimension(layer.xAccessor, table.columns) : undefined; + + const xFormat = xColumn ? fieldFormats[layer.layerId].xAccessors[xColumn.id] : undefined; const currentXFormatter = xAccessor && formattedDatatables[layer.layerId]?.formattedColumns[xAccessor] && xColumn - ? formatFactory(layer.xAccessor ? getFormat(table.columns, layer.xAccessor) : undefined) + ? formatFactory(xFormat) : xAxisFormatter; const rowIndex = table.rows.findIndex((row) => { @@ -457,9 +461,10 @@ export function XYChart({ ? getAccessorByDimension(layer.splitAccessor, table.columns) : undefined; - const splitFormatter = formatFactory( - layer.splitAccessor ? getFormat(table.columns, layer.splitAccessor) : undefined - ); + const splitFormat = splitAccessor + ? fieldFormats[layer.layerId].splitSeriesAccessors[splitAccessor] + : undefined; + const splitFormatter = formatFactory(splitFormat); points.push({ row: table.rows.findIndex((row) => { @@ -552,6 +557,22 @@ export function XYChart({ }; const isSplitChart = splitColumnAccessor || splitRowAccessor; const splitTable = isSplitChart ? dataLayers[0].table : undefined; + const splitColumnId = + splitColumnAccessor && splitTable + ? getAccessorByDimension(splitColumnAccessor, splitTable?.columns) + : undefined; + + const splitRowId = + splitRowAccessor && splitTable + ? getAccessorByDimension(splitRowAccessor, splitTable?.columns) + : undefined; + const splitLayerFieldFormats = fieldFormats[dataLayers[0].layerId]; + const splitFieldFormats = { + ...(splitColumnId + ? { [splitColumnId]: splitLayerFieldFormats.splitColumnAccessors[splitColumnId] } + : {}), + ...(splitRowId ? { [splitRowId]: splitLayerFieldFormats.splitRowAccessors[splitRowId] } : {}), + }; return ( @@ -596,7 +617,32 @@ export function XYChart({ baseTheme={chartBaseTheme} tooltip={{ boundary: document.getElementById('app-fixed-viewport') ?? undefined, - headerFormatter: (d) => safeXAccessorLabelRenderer(d.value), + headerFormatter: !args.detailedTooltip + ? ({ value }) => ( + + ) + : undefined, + customTooltip: args.detailedTooltip + ? ({ header, values }) => ( + + ) + : undefined, type: args.showTooltip ? TooltipType.VerticalCursor : TooltipType.None, }} allowBrushingLastHistogramBin={isTimeViz} @@ -642,6 +688,7 @@ export function XYChart({ splitRowAccessor={splitRowAccessor} formatFactory={formatFactory} columns={splitTable.columns} + fieldFormats={splitFieldFormats} /> )} {yAxesConfiguration.map((axis) => { @@ -651,7 +698,7 @@ export function XYChart({ id={axis.groupId} groupId={axis.groupId} position={axis.position} - title={getYAxesTitles(axis.series, axis.groupId)} + title={getYAxesTitles(axis.series)} gridLine={{ visible: axis.groupId === 'right' @@ -685,6 +732,7 @@ export function XYChart({ {dataLayers.length && ( ) : null} {rangeAnnotations.length || groupedLineAnnotations.length ? ( diff --git a/src/plugins/chart_expressions/expression_xy/public/helpers/axes_configuration.test.ts b/src/plugins/chart_expressions/expression_xy/public/helpers/axes_configuration.test.ts index 55abd3d07a6be..29f146bfa4f91 100644 --- a/src/plugins/chart_expressions/expression_xy/public/helpers/axes_configuration.test.ts +++ b/src/plugins/chart_expressions/expression_xy/public/helpers/axes_configuration.test.ts @@ -10,6 +10,7 @@ import { DataLayerConfig } from '../../common'; import { LayerTypes } from '../../common/constants'; import { Datatable } from '@kbn/expressions-plugin/public'; import { getAxesConfiguration } from './axes_configuration'; +import { LayersFieldFormats } from './layers'; describe('axes_configuration', () => { const tables: Record = { @@ -236,9 +237,23 @@ describe('axes_configuration', () => { table: tables.first, }; + const fieldFormats: LayersFieldFormats = { + first: { + xAccessors: { c: { id: 'number', params: {} } }, + yAccessors: { + yAccessorId: { id: 'number', params: {} }, + yAccessorId3: { id: 'currency', params: {} }, + yAccessorId4: { id: 'currency', params: {} }, + }, + splitSeriesAccessors: { d: { id: 'number', params: {} } }, + splitColumnAccessors: {}, + splitRowAccessors: {}, + }, + }; + it('should map auto series to left axis', () => { const formatFactory = jest.fn(); - const groups = getAxesConfiguration([sampleLayer], false, formatFactory); + const groups = getAxesConfiguration([sampleLayer], false, formatFactory, fieldFormats); expect(groups.length).toEqual(1); expect(groups[0].position).toEqual('left'); expect(groups[0].series[0].accessor).toEqual('yAccessorId'); @@ -248,7 +263,7 @@ describe('axes_configuration', () => { it('should map auto series to right axis if formatters do not match', () => { const formatFactory = jest.fn(); const twoSeriesLayer = { ...sampleLayer, accessors: ['yAccessorId', 'yAccessorId2'] }; - const groups = getAxesConfiguration([twoSeriesLayer], false, formatFactory); + const groups = getAxesConfiguration([twoSeriesLayer], false, formatFactory, fieldFormats); expect(groups.length).toEqual(2); expect(groups[0].position).toEqual('left'); expect(groups[1].position).toEqual('right'); @@ -262,7 +277,7 @@ describe('axes_configuration', () => { ...sampleLayer, accessors: ['yAccessorId', 'yAccessorId2', 'yAccessorId3'], }; - const groups = getAxesConfiguration([threeSeriesLayer], false, formatFactory); + const groups = getAxesConfiguration([threeSeriesLayer], false, formatFactory, fieldFormats); expect(groups.length).toEqual(2); expect(groups[0].position).toEqual('left'); expect(groups[1].position).toEqual('right'); @@ -281,7 +296,8 @@ describe('axes_configuration', () => { }, ], false, - formatFactory + formatFactory, + fieldFormats ); expect(groups.length).toEqual(1); expect(groups[0].position).toEqual('right'); @@ -300,7 +316,8 @@ describe('axes_configuration', () => { }, ], false, - formatFactory + formatFactory, + fieldFormats ); expect(groups.length).toEqual(2); expect(groups[0].position).toEqual('left'); @@ -308,8 +325,8 @@ describe('axes_configuration', () => { expect(groups[0].series[1].accessor).toEqual('yAccessorId4'); expect(groups[1].position).toEqual('right'); expect(groups[1].series[0].accessor).toEqual('yAccessorId'); - expect(formatFactory).toHaveBeenCalledWith({ id: 'number' }); - expect(formatFactory).toHaveBeenCalledWith({ id: 'currency' }); + expect(formatFactory).toHaveBeenCalledWith({ id: 'number', params: {} }); + expect(formatFactory).toHaveBeenCalledWith({ id: 'currency', params: {} }); }); it('should create one formatter per series group', () => { @@ -323,10 +340,11 @@ describe('axes_configuration', () => { }, ], false, - formatFactory + formatFactory, + fieldFormats ); expect(formatFactory).toHaveBeenCalledTimes(2); - expect(formatFactory).toHaveBeenCalledWith({ id: 'number' }); - expect(formatFactory).toHaveBeenCalledWith({ id: 'currency' }); + expect(formatFactory).toHaveBeenCalledWith({ id: 'number', params: {} }); + expect(formatFactory).toHaveBeenCalledWith({ id: 'currency', params: {} }); }); }); diff --git a/src/plugins/chart_expressions/expression_xy/public/helpers/axes_configuration.ts b/src/plugins/chart_expressions/expression_xy/public/helpers/axes_configuration.ts index 89dc87ae5383b..415c240a725d1 100644 --- a/src/plugins/chart_expressions/expression_xy/public/helpers/axes_configuration.ts +++ b/src/plugins/chart_expressions/expression_xy/public/helpers/axes_configuration.ts @@ -16,8 +16,7 @@ import { YConfig, YScaleType, } from '../../common'; -import { isDataLayer } from './visualization'; -import { getFormat } from './format'; +import { LayersFieldFormats } from './layers'; export interface Series { layer: string; @@ -40,10 +39,13 @@ export function isFormatterCompatible( formatter1: SerializedFieldFormat, formatter2: SerializedFieldFormat ) { - return formatter1.id === formatter2.id; + return formatter1?.id === formatter2?.id; } -export function groupAxesByType(layers: CommonXYDataLayerConfig[]) { +export function groupAxesByType( + layers: CommonXYDataLayerConfig[], + fieldFormats: LayersFieldFormats +) { const series: { auto: FormattedMetric[]; left: FormattedMetric[]; @@ -57,32 +59,14 @@ export function groupAxesByType(layers: CommonXYDataLayerConfig[]) { }; layers.forEach((layer) => { - const { table } = layer; + const { layerId, table } = layer; layer.accessors.forEach((accessor) => { const yConfig: Array | undefined = layer.yConfig; - const yAccessor = getAccessorByDimension(accessor, table?.columns || []); + const yAccessor = getAccessorByDimension(accessor, table.columns); const mode = - yConfig?.find((yAxisConfig) => yAxisConfig.forAccessor === yAccessor)?.axisMode || 'auto'; - let formatter: SerializedFieldFormat = getFormat(table.columns, accessor) || { - id: 'number', - }; - if ( - isDataLayer(layer) && - layer.seriesType.includes('percentage') && - formatter.id !== 'percent' - ) { - formatter = { - id: 'percent', - params: { - pattern: '0.[00]%', - }, - }; - } - series[mode].push({ - layer: layer.layerId, - accessor: yAccessor, - fieldFormat: formatter, - }); + yConfig?.find(({ forAccessor }) => forAccessor === yAccessor)?.axisMode || 'auto'; + const fieldFormat = fieldFormats[layerId].yAccessors[yAccessor]!; + series[mode].push({ layer: layer.layerId, accessor: yAccessor, fieldFormat }); }); }); @@ -117,11 +101,12 @@ export function groupAxesByType(layers: CommonXYDataLayerConfig[]) { export function getAxesConfiguration( layers: CommonXYDataLayerConfig[], shouldRotate: boolean, - formatFactory?: FormatFactory, + formatFactory: FormatFactory | undefined, + fieldFormats: LayersFieldFormats, yLeftScale?: YScaleType, yRightScale?: YScaleType ): GroupsConfiguration { - const series = groupAxesByType(layers); + const series = groupAxesByType(layers, fieldFormats); const axisGroups: GroupsConfiguration = []; diff --git a/src/plugins/chart_expressions/expression_xy/public/helpers/data_layers.tsx b/src/plugins/chart_expressions/expression_xy/public/helpers/data_layers.tsx index f9141cf3e30b1..d4216545edd66 100644 --- a/src/plugins/chart_expressions/expression_xy/public/helpers/data_layers.tsx +++ b/src/plugins/chart_expressions/expression_xy/public/helpers/data_layers.tsx @@ -36,12 +36,14 @@ import { FormatFactory } from '../types'; import { getSeriesColor } from './state'; import { ColorAssignments } from './color_assignment'; import { GroupsConfiguration } from './axes_configuration'; +import { LayerAccessorsTitles } from './layers'; import { getFormat } from './format'; type SeriesSpec = LineSeriesProps & BarSeriesProps & AreaSeriesProps; type GetSeriesPropsFn = (config: { layer: CommonXYDataLayerConfig; + titles?: LayerAccessorsTitles; accessor: string; chartHasMoreThanOneBarSeries?: boolean; formatFactory: FormatFactory; @@ -66,7 +68,8 @@ type GetSeriesNameFn = ( splitFormatter: FieldFormat; alreadyFormattedColumns: Record; columnToLabelMap: Record; - } + }, + titles: LayerAccessorsTitles ) => SeriesName; type GetColorFn = ( @@ -78,7 +81,8 @@ type GetColorFn = ( columnToLabelMap: Record; paletteService: PaletteRegistry; syncColors?: boolean; - } + }, + titles: LayerAccessorsTitles ) => string | null; type GetPointConfigFn = (config: { @@ -209,7 +213,8 @@ const getSeriesName: GetSeriesNameFn = ( splitFormatter, alreadyFormattedColumns, columnToLabelMap, - } + }, + titles ) => { // For multiple y series, the name of the operation is used on each, either: // * Key - Y name @@ -221,9 +226,15 @@ const getSeriesName: GetSeriesNameFn = ( if (i === 0 && splitHint && splitColumnId && !formatted) { return splitFormatter.convert(key); } - return splitColumnId && i === 0 ? key : columnToLabelMap[key] ?? null; + return splitColumnId && i === 0 + ? key + : columnToLabelMap[key] ?? + titles?.yTitles?.[key] ?? + titles?.splitSeriesTitles?.[key] ?? + null; }) .join(' - '); + return result; } @@ -235,10 +246,13 @@ const getSeriesName: GetSeriesNameFn = ( } return splitFormatter.convert(data.seriesKeys[0]); } + // This handles both split and single-y cases: // * If split series without formatting, show the value literally // * If single Y, the seriesKey will be the accessor, so we show the human-readable name - return splitColumnId ? data.seriesKeys[0] : columnToLabelMap[data.seriesKeys[0]] ?? null; + return splitColumnId + ? data.seriesKeys[0] + : columnToLabelMap[data.seriesKeys[0]] ?? titles?.yTitles?.[data.seriesKeys[0]] ?? null; }; const getPointConfig: GetPointConfigFn = ({ @@ -267,16 +281,20 @@ const getLineConfig: GetLineConfigFn = ({ showLines, lineWidth }) => ({ const getColor: GetColorFn = ( { yAccessor, seriesKeys }, - { layer, accessor, colorAssignments, columnToLabelMap, paletteService, syncColors } + { layer, accessor, colorAssignments, columnToLabelMap, paletteService, syncColors }, + titles ) => { const overwriteColor = getSeriesColor(layer, accessor); if (overwriteColor !== null) { return overwriteColor; } const colorAssignment = colorAssignments[layer.palette.name]; + const seriesLayers: SeriesLayer[] = [ { - name: layer.splitAccessor ? String(seriesKeys[0]) : columnToLabelMap[seriesKeys[0]], + name: layer.splitAccessor + ? String(seriesKeys[0]) + : columnToLabelMap[seriesKeys[0]] ?? titles?.yTitles?.[seriesKeys[0]] ?? null, totalSeriesAtDepth: colorAssignment.totalSeriesCount, rankAtDepth: colorAssignment.getRank(layer, String(seriesKeys[0]), String(yAccessor)), }, @@ -293,8 +311,37 @@ const getColor: GetColorFn = ( ); }; +const EMPTY_ACCESSOR = '-'; +const SPLIT_CHAR = '.'; + +export const generateSeriesId = ( + { + layerId, + xAccessor, + splitAccessor, + }: Pick, + accessor?: string +) => + [ + layerId, + xAccessor ?? EMPTY_ACCESSOR, + accessor ?? EMPTY_ACCESSOR, + splitAccessor ?? EMPTY_ACCESSOR, + ].join(SPLIT_CHAR); + +export const getMetaFromSeriesId = (seriesId: string) => { + const [layerId, xAccessor, yAccessor, splitAccessor] = seriesId.split(SPLIT_CHAR); + return { + layerId, + xAccessor: xAccessor === EMPTY_ACCESSOR ? undefined : xAccessor, + yAccessor, + splitAccessor: splitAccessor === EMPTY_ACCESSOR ? undefined : splitAccessor, + }; +}; + export const getSeriesProps: GetSeriesPropsFn = ({ layer, + titles = {}, accessor, chartHasMoreThanOneBarSeries, colorAssignments, @@ -363,8 +410,8 @@ export const getSeriesProps: GetSeriesPropsFn = ({ return { splitSeriesAccessors: splitColumnId ? [splitColumnId] : [], - stackAccessors: isStacked ? [xColumnId as string] : [], - id: splitColumnId ? `${splitColumnId}-${accessor}` : accessor, + stackAccessors: isStacked ? [layer.xAccessor as string] : [], + id: generateSeriesId(layer, accessor), xAccessor: xColumnId || 'unifiedX', yAccessors: [accessor], markSizeAccessor: markSizeColumnId, @@ -376,14 +423,18 @@ export const getSeriesProps: GetSeriesPropsFn = ({ ? ScaleType.LinearBinary : yAxis?.scale || ScaleType.Linear, color: (series) => - getColor(series, { - layer, - accessor, - colorAssignments, - columnToLabelMap, - paletteService, - syncColors, - }), + getColor( + series, + { + layer, + accessor, + colorAssignments, + columnToLabelMap, + paletteService, + syncColors, + }, + titles + ), groupId: yAxis?.groupId, enableHistogramMode, stackMode: isPercentage ? StackMode.Percentage : undefined, @@ -417,14 +468,18 @@ export const getSeriesProps: GetSeriesPropsFn = ({ line: getLineConfig({ lineWidth: layer.lineWidth, showLines: layer.showLines }), }, name(d) { - return getSeriesName(d, { - splitColumnId, - accessorsCount: layer.accessors.length, - splitHint, - splitFormatter, - alreadyFormattedColumns: formattedColumns, - columnToLabelMap, - }); + return getSeriesName( + d, + { + splitColumnId, + accessorsCount: layer.accessors.length, + splitHint, + splitFormatter, + alreadyFormattedColumns: formattedColumns, + columnToLabelMap, + }, + titles + ); }, }; }; diff --git a/src/plugins/chart_expressions/expression_xy/public/helpers/layers.ts b/src/plugins/chart_expressions/expression_xy/public/helpers/layers.ts index a30cc3a80ca44..dd3969c1b6412 100644 --- a/src/plugins/chart_expressions/expression_xy/public/helpers/layers.ts +++ b/src/plugins/chart_expressions/expression_xy/public/helpers/layers.ts @@ -7,15 +7,57 @@ */ import { Datatable } from '@kbn/expressions-plugin/common'; -import { getAccessorByDimension } from '@kbn/visualizations-plugin/common/utils'; -import type { ExpressionValueVisDimension } from '@kbn/visualizations-plugin/common/expression_functions'; +import { SerializedFieldFormat } from '@kbn/field-formats-plugin/common'; +import { ExpressionValueVisDimension } from '@kbn/visualizations-plugin/common/expression_functions'; +import { + getAccessorByDimension, + getColumnByAccessor, +} from '@kbn/visualizations-plugin/common/utils'; import { CommonXYDataLayerConfig, CommonXYLayerConfig, ReferenceLineLayerConfig, + SeriesType, } from '../../common/types'; +import { GroupsConfiguration } from './axes_configuration'; +import { getFormat } from './format'; import { isDataLayer, isReferenceLayer } from './visualization'; +interface CustomTitles { + xTitle?: string; + yTitle?: string; + yRightTitle?: string; +} + +interface SplitAccessors { + splitColumnAccessor?: string | ExpressionValueVisDimension; + splitRowAccessor?: string | ExpressionValueVisDimension; +} + +export type AccessorsFieldFormats = Record; + +export interface LayerFieldFormats { + xAccessors: AccessorsFieldFormats; + yAccessors: AccessorsFieldFormats; + splitSeriesAccessors: AccessorsFieldFormats; + splitColumnAccessors: AccessorsFieldFormats; + splitRowAccessors: AccessorsFieldFormats; +} + +export type LayersFieldFormats = Record; + +export type AccessorsTitles = Record; + +export interface LayerAccessorsTitles { + xTitles?: AccessorsTitles; + yTitles?: AccessorsTitles; + splitSeriesTitles?: AccessorsTitles; + splitColumnTitles?: AccessorsTitles; + splitRowTitles?: AccessorsTitles; +} + +export type LayersAccessorsTitles = Record; + export function getFilteredLayers(layers: CommonXYLayerConfig[]) { return layers.filter( (layer): layer is ReferenceLineLayerConfig | CommonXYDataLayerConfig => { @@ -52,3 +94,140 @@ export function getFilteredLayers(layers: CommonXYLayerConfig[]) { } ); } + +const getAccessorWithFieldFormat = ( + dimension: string | ExpressionValueVisDimension | undefined, + columns: Datatable['columns'] +) => { + if (!dimension) { + return {}; + } + + const accessor = getAccessorByDimension(dimension, columns); + return { [accessor]: getFormat(columns, dimension) }; +}; + +const getYAccessorWithFieldFormat = ( + dimension: string | ExpressionValueVisDimension | undefined, + columns: Datatable['columns'], + seriesType: SeriesType +) => { + if (!dimension) { + return {}; + } + + const accessor = getAccessorByDimension(dimension, columns); + let format = getFormat(columns, dimension) ?? { id: 'number' }; + if (format?.id !== 'percent' && seriesType.includes('percentage')) { + format = { id: 'percent', params: { pattern: '0.[00]%' } }; + } + + return { [accessor]: format }; +}; + +export const getLayerFormats = ( + { xAccessor, accessors, splitAccessor, table, seriesType }: CommonXYDataLayerConfig, + { splitColumnAccessor, splitRowAccessor }: SplitAccessors +): LayerFieldFormats => { + const yAccessors: Array = accessors; + return { + xAccessors: getAccessorWithFieldFormat(xAccessor, table.columns), + yAccessors: yAccessors.reduce( + (formatters, a) => ({ + ...formatters, + ...getYAccessorWithFieldFormat(a, table.columns, seriesType), + }), + {} + ), + splitSeriesAccessors: getAccessorWithFieldFormat(splitAccessor, table.columns), + splitColumnAccessors: getAccessorWithFieldFormat(splitColumnAccessor, table.columns), + splitRowAccessors: getAccessorWithFieldFormat(splitRowAccessor, table.columns), + }; +}; + +export const getLayersFormats = ( + layers: CommonXYDataLayerConfig[], + splitAccessors: SplitAccessors +): LayersFieldFormats => + layers.reduce( + (formatters, layer) => ({ + ...formatters, + [layer.layerId]: getLayerFormats(layer, splitAccessors), + }), + {} + ); + +const getTitleForYAccessor = ( + layerId: string, + yAccessor: string | ExpressionValueVisDimension, + { yTitle, yRightTitle }: Omit, + groups: GroupsConfiguration, + columns: Datatable['columns'] +) => { + const column = getColumnByAccessor(yAccessor, columns); + const isRight = groups.some((group) => + group.series.some( + ({ accessor, layer }) => + accessor === yAccessor && layer === layerId && group.groupId === 'right' + ) + ); + if (isRight) { + return yRightTitle || column!.name; + } + + return yTitle || column!.name; +}; + +export const getLayerTitles = ( + { xAccessor, accessors, splitAccessor, table, layerId }: CommonXYDataLayerConfig, + { splitColumnAccessor, splitRowAccessor }: SplitAccessors, + { xTitle, yTitle, yRightTitle }: CustomTitles, + groups: GroupsConfiguration +): LayerAccessorsTitles => { + const mapTitle = (dimension?: string | ExpressionValueVisDimension) => { + if (!dimension) { + return {}; + } + + const column = getColumnByAccessor(dimension, table.columns); + return { [column!.id]: column!.name }; + }; + + const getYTitle = (accessor: string) => ({ + [accessor]: getTitleForYAccessor( + layerId, + accessor, + { yTitle, yRightTitle }, + groups, + table.columns + ), + }); + + const xColumnId = xAccessor && getAccessorByDimension(xAccessor, table.columns); + const yColumnIds = accessors.map((a) => a && getAccessorByDimension(a, table.columns)); + + return { + xTitles: xTitle && xColumnId ? { [xColumnId]: xTitle } : mapTitle(xColumnId), + yTitles: yColumnIds.reduce( + (titles, yAccessor) => ({ ...titles, ...(yAccessor ? getYTitle(yAccessor) : {}) }), + {} + ), + splitSeriesTitles: mapTitle(splitAccessor), + splitColumnTitles: mapTitle(splitColumnAccessor), + splitRowTitles: mapTitle(splitRowAccessor), + }; +}; + +export const getLayersTitles = ( + layers: CommonXYDataLayerConfig[], + splitAccessors: SplitAccessors, + customTitles: CustomTitles, + groups: GroupsConfiguration +): LayersAccessorsTitles => + layers.reduce( + (formatters, layer) => ({ + ...formatters, + [layer.layerId]: getLayerTitles(layer, splitAccessors, customTitles, groups), + }), + {} + ); diff --git a/src/plugins/data/common/es_query/index.ts b/src/plugins/data/common/es_query/index.ts index d717af0107e8c..c40ac7a2e8863 100644 --- a/src/plugins/data/common/es_query/index.ts +++ b/src/plugins/data/common/es_query/index.ts @@ -49,6 +49,7 @@ import { MatchAllFilter as oldMatchAllFilter, RangeFilter as oldRangeFilter, KueryNode as oldKueryNode, + TimeRange as oldTimeRange, FilterMeta as oldFilterMeta, FILTERS as oldFILTERS, EsQueryConfig as oldEsQueryConfig, @@ -339,6 +340,12 @@ type EsQueryConfig = oldEsQueryConfig; * @removeBy 8.1 */ +/** + * @deprecated Import from the "@kbn/es-query" package directly instead. + * @removeBy 8.3 + */ +type TimeRange = oldTimeRange; + export type { Filter, RangeFilterParams, @@ -349,6 +356,7 @@ export type { KueryNode, FilterMeta, EsQueryConfig, + TimeRange, }; export { COMPARE_ALL_OPTIONS, diff --git a/src/plugins/data/common/index.ts b/src/plugins/data/common/index.ts index dd9c9000adb28..7469a5983a731 100644 --- a/src/plugins/data/common/index.ts +++ b/src/plugins/data/common/index.ts @@ -64,6 +64,7 @@ export type { RangeFilterParams, KueryNode, EsQueryConfig, + TimeRange, } from './es_query'; export { KbnFieldType } from './kbn_field_types'; export { @@ -79,7 +80,6 @@ export type { QueryState } from './query'; export * from './search'; export type { RefreshInterval, - TimeRange, TimeRangeBounds, GetConfigFn, SavedQuery, @@ -100,28 +100,22 @@ export { CSV_MIME_TYPE, } from './exports'; export type { - IFieldType, IIndexPatternFieldList, FieldFormatMap, RuntimeType, RuntimeField, - IIndexPattern, DataViewAttributes, - IndexPatternAttributes, FieldAttrs, FieldAttrSet, OnNotification, OnError, UiSettingsCommon, - SavedObjectsClientCommonFindArgs, - SavedObjectsClientCommon, GetFieldsOptions, IDataViewsApiClient, SavedObject, AggregationRestrictions, TypeMeta, FieldSpecConflictDescriptions, - FieldSpecExportFmt, FieldSpec, DataViewFieldMap, DataViewSpec, @@ -130,11 +124,7 @@ export type { IndexPatternLoadStartDependencies, IndexPatternLoadExpressionFunctionDefinition, } from '@kbn/data-views-plugin/common'; -export type { - IndexPatternsContract, - DataViewsContract, - DataViewListItem, -} from '@kbn/data-views-plugin/common'; +export type { DataViewsContract, DataViewListItem } from '@kbn/data-views-plugin/common'; export { RUNTIME_FIELD_TYPES, DEFAULT_ASSETS_TO_IGNORE, @@ -143,11 +133,9 @@ export { isFilterable, fieldList, DataViewField, - IndexPatternField, DataViewType, IndexPatternsService, DataViewsService, - IndexPattern, DataView, DuplicateDataViewError, DataViewSavedObjectConflictError, diff --git a/src/plugins/data/common/query/timefilter/get_time.test.ts b/src/plugins/data/common/query/timefilter/get_time.test.ts index fce67b09eec77..22485db6229c4 100644 --- a/src/plugins/data/common/query/timefilter/get_time.test.ts +++ b/src/plugins/data/common/query/timefilter/get_time.test.ts @@ -7,7 +7,7 @@ */ import { RangeFilter } from '@kbn/es-query'; -import type { IIndexPattern } from '../..'; +import type { DataView } from '@kbn/data-views-plugin/common'; import moment from 'moment'; import sinon from 'sinon'; import { getTime, getRelativeTime, getAbsoluteTimeRange } from './get_time'; @@ -32,7 +32,7 @@ describe('get_time', () => { filterable: true, }, ], - } as unknown as IIndexPattern, + } as unknown as DataView, { from: 'now-60y', to: 'now' } ) as RangeFilter; expect(filter.query.range.date).toEqual({ @@ -69,7 +69,7 @@ describe('get_time', () => { filterable: true, }, ], - } as unknown as IIndexPattern, + } as unknown as DataView, { from: 'now-60y', to: 'now' }, { fieldName: 'myCustomDate' } ) as RangeFilter; @@ -123,7 +123,7 @@ describe('get_time', () => { filterable: true, }, ], - } as unknown as IIndexPattern, + } as unknown as DataView, { from: 'now-60y', to: 'now' }, { fieldName: 'myCustomDate' } ) as RangeFilter; @@ -159,7 +159,7 @@ describe('get_time', () => { filterable: true, }, ], - } as unknown as IIndexPattern, + } as unknown as DataView, { from: '2020-09-01T08:30:00.000Z', to: 'now', diff --git a/src/plugins/data/common/query/timefilter/get_time.ts b/src/plugins/data/common/query/timefilter/get_time.ts index 6444f0e2f06ad..f5adbc6cd001f 100644 --- a/src/plugins/data/common/query/timefilter/get_time.ts +++ b/src/plugins/data/common/query/timefilter/get_time.ts @@ -11,7 +11,8 @@ import dateMath from '@kbn/datemath'; import { omitBy } from 'lodash'; import { buildRangeFilter } from '@kbn/es-query'; import type { Moment } from 'moment'; -import type { IIndexPattern, TimeRange, TimeRangeBounds, RangeFilterParams } from '../..'; +import type { DataView } from '@kbn/data-views-plugin/common'; +import type { TimeRange, TimeRangeBounds, RangeFilterParams } from '../..'; interface CalculateBoundsOptions { forceNow?: Date; @@ -47,7 +48,7 @@ export function getAbsoluteTimeRange( } export function getTime( - indexPattern: IIndexPattern | undefined, + indexPattern: DataView | undefined, timeRange: TimeRange, options?: { forceNow?: Date; fieldName?: string } ) { @@ -61,7 +62,7 @@ export function getTime( } export function getRelativeTime( - indexPattern: IIndexPattern | undefined, + indexPattern: DataView | undefined, timeRange: TimeRange, options?: { forceNow?: Date; fieldName?: string } ) { @@ -74,7 +75,7 @@ export function getRelativeTime( ); } -function getTimeField(indexPattern?: IIndexPattern, fieldName?: string) { +function getTimeField(indexPattern?: DataView, fieldName?: string) { if (!indexPattern && fieldName) { return { name: fieldName, type: KBN_FIELD_TYPES.DATE }; } @@ -87,7 +88,7 @@ function getTimeField(indexPattern?: IIndexPattern, fieldName?: string) { } function createTimeRangeFilter( - indexPattern: IIndexPattern | undefined, + indexPattern: DataView | undefined, timeRange: TimeRange, fieldName?: string, forceNow?: Date, @@ -121,5 +122,5 @@ function createTimeRangeFilter( rangeFilterParams = omitBy(rangeFilterParams, (v) => v == null); - return buildRangeFilter(field, rangeFilterParams, indexPattern); + return buildRangeFilter(field, rangeFilterParams, indexPattern!); } diff --git a/src/plugins/data/common/search/aggs/agg_config.test.ts b/src/plugins/data/common/search/aggs/agg_config.test.ts index d39b351e93612..34c1acfc65ca0 100644 --- a/src/plugins/data/common/search/aggs/agg_config.test.ts +++ b/src/plugins/data/common/search/aggs/agg_config.test.ts @@ -15,10 +15,10 @@ import { AggType } from './agg_type'; import { AggTypesRegistryStart } from './agg_types_registry'; import { mockAggTypesRegistry } from './test_helpers'; import { MetricAggType } from './metrics/metric_agg_type'; -import { IndexPattern, IndexPatternField, IIndexPatternFieldList } from '../..'; +import type { DataView, DataViewField, IIndexPatternFieldList } from '../..'; describe('AggConfig', () => { - let indexPattern: IndexPattern; + let indexPattern: DataView; let typesRegistry: AggTypesRegistryStart; const fields = [ { @@ -55,11 +55,11 @@ describe('AggConfig', () => { fields: { getByName: (name: string) => fields.find((f) => f.name === name), filter: () => fields, - } as unknown as IndexPattern['fields'], - getFormatterForField: (field: IndexPatternField) => ({ + } as unknown as DataView['fields'], + getFormatterForField: (field: DataViewField) => ({ toJSON: () => ({}), }), - } as IndexPattern; + } as DataView; typesRegistry = mockAggTypesRegistry(); }); diff --git a/src/plugins/data/common/search/aggs/agg_configs.test.ts b/src/plugins/data/common/search/aggs/agg_configs.test.ts index b70b057fa6e79..83e0d5b78d080 100644 --- a/src/plugins/data/common/search/aggs/agg_configs.test.ts +++ b/src/plugins/data/common/search/aggs/agg_configs.test.ts @@ -7,16 +7,17 @@ */ import { keyBy } from 'lodash'; +import { ExpressionAstExpression, buildExpression } from '@kbn/expressions-plugin/common'; import { AggConfig } from './agg_config'; import { AggConfigs } from './agg_configs'; import { AggTypesRegistryStart } from './agg_types_registry'; import { mockAggTypesRegistry } from './test_helpers'; -import { IndexPattern } from '../..'; +import type { DataView } from '@kbn/data-views-plugin/common'; import { stubIndexPattern } from '../../stubs'; import { IEsSearchResponse } from '..'; describe('AggConfigs', () => { - const indexPattern: IndexPattern = stubIndexPattern; + const indexPattern: DataView = stubIndexPattern; let typesRegistry: AggTypesRegistryStart; beforeEach(() => { @@ -787,4 +788,62 @@ describe('AggConfigs', () => { }); }); }); + + describe('#toExpressionAst', () => { + function toString(ast: ExpressionAstExpression) { + return buildExpression(ast).toString(); + } + + it('should generate the `index` argument', () => { + const ac = new AggConfigs(indexPattern, [], { typesRegistry }); + + expect(toString(ac.toExpressionAst())).toMatchInlineSnapshot( + `"esaggs index={indexPatternLoad id=\\"logstash-*\\"}"` + ); + }); + + it('should generate the `metricsAtAllLevels` if hierarchical', () => { + const ac = new AggConfigs(indexPattern, [], { typesRegistry }); + ac.hierarchical = true; + + expect(toString(ac.toExpressionAst())).toMatchInlineSnapshot( + `"esaggs index={indexPatternLoad id=\\"logstash-*\\"} metricsAtAllLevels=true"` + ); + }); + + it('should generate the `partialRows` argument', () => { + const ac = new AggConfigs(indexPattern, [], { typesRegistry }); + ac.partialRows = true; + + expect(toString(ac.toExpressionAst())).toMatchInlineSnapshot( + `"esaggs index={indexPatternLoad id=\\"logstash-*\\"} partialRows=true"` + ); + }); + + it('should generate the `aggs` argument', () => { + const configStates = [ + { + enabled: true, + type: 'date_histogram', + schema: 'segment', + params: { field: '@timestamp', interval: '10s' }, + }, + { enabled: true, type: 'avg', schema: 'metric', params: { field: 'bytes' } }, + { enabled: true, type: 'sum', schema: 'metric', params: { field: 'bytes' } }, + { enabled: true, type: 'min', schema: 'metric', params: { field: 'bytes' } }, + { enabled: true, type: 'max', schema: 'metric', params: { field: 'bytes' } }, + ]; + + const ac = new AggConfigs(indexPattern, configStates, { typesRegistry }); + + expect(toString(ac.toExpressionAst())).toMatchInlineSnapshot(` + "esaggs index={indexPatternLoad id=\\"logstash-*\\"} + aggs={aggDateHistogram field=\\"@timestamp\\" useNormalizedEsInterval=true extendToTimeRange=false scaleMetricValues=false interval=\\"10s\\" drop_partials=false min_doc_count=1 extended_bounds={extendedBounds} id=\\"1\\" enabled=true schema=\\"segment\\"} + aggs={aggAvg field=\\"bytes\\" id=\\"2\\" enabled=true schema=\\"metric\\"} + aggs={aggSum field=\\"bytes\\" emptyAsNull=false id=\\"3\\" enabled=true schema=\\"metric\\"} + aggs={aggMin field=\\"bytes\\" id=\\"4\\" enabled=true schema=\\"metric\\"} + aggs={aggMax field=\\"bytes\\" id=\\"5\\" enabled=true schema=\\"metric\\"}" + `); + }); + }); }); diff --git a/src/plugins/data/common/search/aggs/agg_configs.ts b/src/plugins/data/common/search/aggs/agg_configs.ts index c4f1da62ead3a..e7fba622dd598 100644 --- a/src/plugins/data/common/search/aggs/agg_configs.ts +++ b/src/plugins/data/common/search/aggs/agg_configs.ts @@ -11,7 +11,10 @@ import _, { cloneDeep } from 'lodash'; import { i18n } from '@kbn/i18n'; import { Assign } from '@kbn/utility-types'; import { isRangeFilter } from '@kbn/es-query'; +import type { DataView } from '@kbn/data-views-plugin/common'; import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; +import type { IndexPatternLoadExpressionFunctionDefinition } from '@kbn/data-views-plugin/common'; +import { buildExpression, buildExpressionFunction } from '@kbn/expressions-plugin/common'; import { IEsSearchResponse, @@ -20,11 +23,11 @@ import { RangeFilter, // eslint-disable-next-line @kbn/eslint/no-restricted-paths } from '../../../public'; +import type { EsaggsExpressionFunctionDefinition } from '../expressions'; import { AggConfig, AggConfigSerialized, IAggConfig } from './agg_config'; import { IAggType } from './agg_type'; import { AggTypesRegistryStart } from './agg_types_registry'; import { AggGroupNames } from './agg_groups'; -import { IndexPattern } from '../..'; import { TimeRange, getTime, calculateBounds } from '../..'; import { IBucketAggConfig } from './buckets'; import { insertTimeShiftSplit, mergeTimeShifts } from './utils/time_splits'; @@ -55,6 +58,7 @@ function parseParentAggs(dslLvlCursor: any, dsl: any) { export interface AggConfigsOptions { typesRegistry: AggTypesRegistryStart; hierarchical?: boolean; + partialRows?: boolean; } export type CreateAggConfigParams = Assign; @@ -78,18 +82,19 @@ export type GenericBucket = estypes.AggregationsBuckets & { export type IAggConfigs = AggConfigs; export class AggConfigs { - public indexPattern: IndexPattern; + public indexPattern: DataView; public timeRange?: TimeRange; public timeFields?: string[]; public forceNow?: Date; public hierarchical?: boolean = false; + public partialRows?: boolean = false; private readonly typesRegistry: AggTypesRegistryStart; aggs: IAggConfig[]; constructor( - indexPattern: IndexPattern, + indexPattern: DataView, configStates: CreateAggConfigParams[] = [], opts: AggConfigsOptions ) { @@ -100,6 +105,7 @@ export class AggConfigs { this.aggs = []; this.indexPattern = indexPattern; this.hierarchical = opts.hierarchical; + this.partialRows = opts.partialRows; configStates.forEach((params: any) => this.createAggConfig(params)); } @@ -493,4 +499,26 @@ export class AggConfigs { this.getRequestAggs().map((agg: AggConfig) => agg.onSearchRequestStart(searchSource, options)) ); } + + /** + * Generates an expression abstract syntax tree using the `esaggs` expression function. + * @returns The expression AST. + */ + toExpressionAst() { + return buildExpression([ + buildExpressionFunction('esaggs', { + index: buildExpression([ + buildExpressionFunction( + 'indexPatternLoad', + { + id: this.indexPattern.id!, + } + ), + ]), + metricsAtAllLevels: this.hierarchical, + partialRows: this.partialRows, + aggs: this.aggs.map((agg) => buildExpression(agg.toExpressionAst())), + }), + ]).toAst(); + } } diff --git a/src/plugins/data/common/search/aggs/aggs_service.ts b/src/plugins/data/common/search/aggs/aggs_service.ts index a348acb90212b..21010a9294b8c 100644 --- a/src/plugins/data/common/search/aggs/aggs_service.ts +++ b/src/plugins/data/common/search/aggs/aggs_service.ts @@ -7,7 +7,8 @@ */ import { ExpressionsServiceSetup } from '@kbn/expressions-plugin/common'; -import { CreateAggConfigParams, IndexPattern, UI_SETTINGS } from '../..'; +import type { DataView } from '@kbn/data-views-plugin/common'; +import { CreateAggConfigParams, UI_SETTINGS } from '../..'; import { GetConfigFn } from '../../types'; import { AggConfigs, @@ -37,7 +38,7 @@ export interface AggsCommonSetupDependencies { export interface AggsCommonStartDependencies { getConfig: GetConfigFn; - getIndexPattern(id: string): Promise; + getIndexPattern(id: string): Promise; isDefaultTimezone: () => boolean; } @@ -70,10 +71,7 @@ export class AggsCommonService { const aggTypesStart = this.aggTypesRegistry.start(); const calculateAutoTimeExpression = getCalculateAutoTimeExpression(getConfig); - const createAggConfigs = ( - indexPattern: IndexPattern, - configStates?: CreateAggConfigParams[] - ) => { + const createAggConfigs = (indexPattern: DataView, configStates?: CreateAggConfigParams[]) => { return new AggConfigs(indexPattern, configStates, { typesRegistry: aggTypesStart, }); diff --git a/src/plugins/data/common/search/aggs/buckets/_terms_other_bucket_helper.test.ts b/src/plugins/data/common/search/aggs/buckets/_terms_other_bucket_helper.test.ts index 0ed504861c5ba..ecddf794ecb60 100644 --- a/src/plugins/data/common/search/aggs/buckets/_terms_other_bucket_helper.test.ts +++ b/src/plugins/data/common/search/aggs/buckets/_terms_other_bucket_helper.test.ts @@ -13,12 +13,11 @@ import { OTHER_BUCKET_SEPARATOR as SEP, constructSingleTermOtherFilter, } from './_terms_other_bucket_helper'; +import type { DataViewField, DataView } from '@kbn/data-views-plugin/common'; import { AggConfigs, CreateAggConfigParams } from '../agg_configs'; import { BUCKET_TYPES } from './bucket_agg_types'; import { IBucketAggConfig } from './bucket_agg_type'; import { mockAggTypesRegistry } from '../test_helpers'; -import type { IndexPatternField } from '../../..'; -import { IndexPattern } from '../../..'; const indexPattern = { id: '1234', @@ -41,9 +40,9 @@ const indexPattern = { searchable: true, }, ], -} as IndexPattern; +} as DataView; -indexPattern.fields.getByName = (name) => ({ name } as unknown as IndexPatternField); +indexPattern.fields.getByName = (name) => ({ name } as unknown as DataViewField); const singleTerm = { aggs: [ diff --git a/src/plugins/data/common/search/aggs/buckets/date_histogram.ts b/src/plugins/data/common/search/aggs/buckets/date_histogram.ts index 1d776bf643e1b..4d33255af5483 100644 --- a/src/plugins/data/common/search/aggs/buckets/date_histogram.ts +++ b/src/plugins/data/common/search/aggs/buckets/date_histogram.ts @@ -10,8 +10,8 @@ import { get, noop, find, every, omitBy, isNil } from 'lodash'; import moment from 'moment-timezone'; import { i18n } from '@kbn/i18n'; +import { DataViewFieldBase } from '@kbn/es-query'; import { KBN_FIELD_TYPES, TimeRange, TimeRangeBounds, UI_SETTINGS } from '../../..'; -import { IFieldType } from '../../..'; import { ExtendedBounds, extendedBoundsToAst, timerangeToAst } from '../../expressions'; import { intervalOptions, autoInterval, isAutoInterval } from './_interval_options'; @@ -59,7 +59,7 @@ export function isDateHistogramBucketAggConfig(agg: any): agg is IBucketDateHist } export interface AggParamsDateHistogram extends BaseAggParams { - field?: IFieldType | string; + field?: DataViewFieldBase | string; timeRange?: TimeRange; useNormalizedEsInterval?: boolean; scaleMetricValues?: boolean; diff --git a/src/plugins/data/common/search/aggs/buckets/multi_terms.test.ts b/src/plugins/data/common/search/aggs/buckets/multi_terms.test.ts index 0244204ae7e14..f207b46b16c70 100644 --- a/src/plugins/data/common/search/aggs/buckets/multi_terms.test.ts +++ b/src/plugins/data/common/search/aggs/buckets/multi_terms.test.ts @@ -10,8 +10,7 @@ import { AggConfigs } from '../agg_configs'; import { METRIC_TYPES } from '../metrics'; import { mockAggTypesRegistry } from '../test_helpers'; import { BUCKET_TYPES } from './bucket_agg_types'; -import type { IndexPatternField } from '../../..'; -import { IndexPattern } from '../../..'; +import type { DataView, DataViewField } from '@kbn/data-views-plugin/common'; describe('Multi Terms Agg', () => { const getAggConfigs = (params: Record = {}) => { @@ -52,9 +51,9 @@ describe('Multi Terms Agg', () => { searchable: true, }, ], - } as IndexPattern; + } as DataView; - indexPattern.fields.getByName = (name) => ({ name } as unknown as IndexPatternField); + indexPattern.fields.getByName = (name) => ({ name } as unknown as DataViewField); indexPattern.fields.filter = () => indexPattern.fields; return new AggConfigs( @@ -161,9 +160,9 @@ describe('Multi Terms Agg', () => { searchable: true, }, ], - } as IndexPattern; + } as DataView; - indexPattern.fields.getByName = (name) => ({ name } as unknown as IndexPatternField); + indexPattern.fields.getByName = (name) => ({ name } as unknown as DataViewField); indexPattern.fields.filter = () => indexPattern.fields; const aggConfigs = new AggConfigs( diff --git a/src/plugins/data/common/search/aggs/buckets/rare_terms.test.ts b/src/plugins/data/common/search/aggs/buckets/rare_terms.test.ts index 8acbd95082a08..ed2b09bdcf832 100644 --- a/src/plugins/data/common/search/aggs/buckets/rare_terms.test.ts +++ b/src/plugins/data/common/search/aggs/buckets/rare_terms.test.ts @@ -9,8 +9,7 @@ import { AggConfigs } from '../agg_configs'; import { mockAggTypesRegistry } from '../test_helpers'; import { BUCKET_TYPES } from './bucket_agg_types'; -import type { IndexPatternField } from '../../..'; -import { IndexPattern } from '../../..'; +import type { DataView, DataViewField } from '@kbn/data-views-plugin/common'; describe('rare terms Agg', () => { const getAggConfigs = (params: Record = {}) => { @@ -51,9 +50,9 @@ describe('rare terms Agg', () => { searchable: true, }, ], - } as IndexPattern; + } as DataView; - indexPattern.fields.getByName = (name) => ({ name } as unknown as IndexPatternField); + indexPattern.fields.getByName = (name) => ({ name } as unknown as DataViewField); indexPattern.fields.filter = () => indexPattern.fields; return new AggConfigs( diff --git a/src/plugins/data/common/search/aggs/buckets/terms.test.ts b/src/plugins/data/common/search/aggs/buckets/terms.test.ts index b12545455157e..6fe9065282585 100644 --- a/src/plugins/data/common/search/aggs/buckets/terms.test.ts +++ b/src/plugins/data/common/search/aggs/buckets/terms.test.ts @@ -10,8 +10,7 @@ import { AggConfigs } from '../agg_configs'; import { METRIC_TYPES } from '../metrics'; import { mockAggTypesRegistry } from '../test_helpers'; import { BUCKET_TYPES } from './bucket_agg_types'; -import type { IndexPatternField } from '../../..'; -import { IndexPattern } from '../../..'; +import type { DataView, DataViewField } from '@kbn/data-views-plugin/common'; describe('Terms Agg', () => { describe('order agg editor UI', () => { @@ -53,9 +52,9 @@ describe('Terms Agg', () => { searchable: true, }, ], - } as IndexPattern; + } as DataView; - indexPattern.fields.getByName = (name) => ({ name } as unknown as IndexPatternField); + indexPattern.fields.getByName = (name) => ({ name } as unknown as DataViewField); indexPattern.fields.filter = () => indexPattern.fields; return new AggConfigs( @@ -258,9 +257,9 @@ describe('Terms Agg', () => { searchable: true, }, ], - } as IndexPattern; + } as DataView; - indexPattern.fields.getByName = (name) => ({ name } as unknown as IndexPatternField); + indexPattern.fields.getByName = (name) => ({ name } as unknown as DataViewField); indexPattern.fields.filter = () => indexPattern.fields; const aggConfigs = new AggConfigs( diff --git a/src/plugins/data/common/search/aggs/param_types/field.ts b/src/plugins/data/common/search/aggs/param_types/field.ts index 077978e952e43..f8168e5f9cf69 100644 --- a/src/plugins/data/common/search/aggs/param_types/field.ts +++ b/src/plugins/data/common/search/aggs/param_types/field.ts @@ -8,7 +8,7 @@ import { i18n } from '@kbn/i18n'; import { SavedFieldNotFound, SavedFieldTypeInvalidForAgg } from '@kbn/kibana-utils-plugin/common'; -import { isNestedField, IndexPatternField, DataViewField } from '@kbn/data-views-plugin/common'; +import { isNestedField, DataViewField } from '@kbn/data-views-plugin/common'; import { IAggConfig } from '../agg_config'; import { BaseParamType } from './base'; import { propFilter } from '../utils'; @@ -105,7 +105,7 @@ export class FieldParamType extends BaseParamType { }; } - this.serialize = (field: IndexPatternField) => { + this.serialize = (field: DataViewField) => { return field.name; }; @@ -116,7 +116,7 @@ export class FieldParamType extends BaseParamType { const field = aggConfig.getIndexPattern().fields.getByName(fieldName); if (!field) { - return new IndexPatternField({ + return new DataViewField({ type: KBN_FIELD_TYPES.MISSING, name: fieldName, searchable: false, @@ -133,7 +133,7 @@ export class FieldParamType extends BaseParamType { */ getAvailableFields = (aggConfig: IAggConfig) => { const fields = aggConfig.getIndexPattern().fields; - const filteredFields = fields.filter((field: IndexPatternField) => { + const filteredFields = fields.filter((field: DataViewField) => { const { onlyAggregatable, scriptable, filterFieldTypes, filterField } = this; if (filterField) { diff --git a/src/plugins/data/common/search/aggs/types.ts b/src/plugins/data/common/search/aggs/types.ts index 942bdc492f6f7..0b0701cc46eaf 100644 --- a/src/plugins/data/common/search/aggs/types.ts +++ b/src/plugins/data/common/search/aggs/types.ts @@ -7,7 +7,7 @@ */ import { Assign } from '@kbn/utility-types'; -import { IndexPattern } from '../..'; +import type { DataView } from '@kbn/data-views-plugin/common'; import { aggAvg, aggBucketAvg, @@ -115,7 +115,7 @@ export interface AggsCommonSetup { export interface AggsCommonStart { calculateAutoTimeExpression: ReturnType; createAggConfigs: ( - indexPattern: IndexPattern, + indexPattern: DataView, configStates?: CreateAggConfigParams[] ) => InstanceType; types: ReturnType; diff --git a/src/plugins/data/common/search/aggs/utils/infer_time_zone.test.ts b/src/plugins/data/common/search/aggs/utils/infer_time_zone.test.ts index f1cfc3f0e81e0..13acff39ebaa4 100644 --- a/src/plugins/data/common/search/aggs/utils/infer_time_zone.test.ts +++ b/src/plugins/data/common/search/aggs/utils/infer_time_zone.test.ts @@ -18,7 +18,7 @@ jest.mock('moment', () => { return moment; }); -import { IndexPattern, IndexPatternField } from '../../..'; +import type { DataView, DataViewField } from '@kbn/data-views-plugin/common'; import { AggParamsDateHistogram } from '../buckets'; import { inferTimeZone } from './infer_time_zone'; @@ -27,7 +27,7 @@ describe('inferTimeZone', () => { const params: AggParamsDateHistogram = { time_zone: 'CEST', }; - expect(inferTimeZone(params, {} as IndexPattern, () => false, jest.fn())).toEqual('CEST'); + expect(inferTimeZone(params, {} as DataView, () => false, jest.fn())).toEqual('CEST'); }); it('reads time zone from index pattern type meta if available', () => { @@ -44,7 +44,7 @@ describe('inferTimeZone', () => { }, }, }, - } as unknown as IndexPattern, + } as unknown as DataView, () => false, jest.fn() ) @@ -57,7 +57,7 @@ describe('inferTimeZone', () => { { field: { name: 'mydatefield', - } as IndexPatternField, + } as DataViewField, }, { typeMeta: { @@ -69,7 +69,7 @@ describe('inferTimeZone', () => { }, }, }, - } as unknown as IndexPattern, + } as unknown as DataView, () => false, jest.fn() ) @@ -77,14 +77,14 @@ describe('inferTimeZone', () => { }); it('reads time zone from moment if set to default', () => { - expect(inferTimeZone({}, {} as IndexPattern, () => true, jest.fn())).toEqual('CET'); + expect(inferTimeZone({}, {} as DataView, () => true, jest.fn())).toEqual('CET'); }); it('reads time zone from config if not set to default', () => { expect( inferTimeZone( {}, - {} as IndexPattern, + {} as DataView, () => false, () => 'CET' as any ) diff --git a/src/plugins/data/common/search/aggs/utils/infer_time_zone.ts b/src/plugins/data/common/search/aggs/utils/infer_time_zone.ts index 21c022d8e293c..c94f99b7eb928 100644 --- a/src/plugins/data/common/search/aggs/utils/infer_time_zone.ts +++ b/src/plugins/data/common/search/aggs/utils/infer_time_zone.ts @@ -7,12 +7,12 @@ */ import moment from 'moment'; -import { IndexPattern } from '../../..'; +import type { DataView } from '@kbn/data-views-plugin/common'; import { AggParamsDateHistogram } from '../buckets'; export function inferTimeZone( params: AggParamsDateHistogram, - indexPattern: IndexPattern, + indexPattern: DataView, isDefaultTimezone: () => boolean, getConfig: (key: string) => T ) { diff --git a/src/plugins/data/common/search/expressions/esaggs/esaggs_fn.ts b/src/plugins/data/common/search/expressions/esaggs/esaggs_fn.ts index 6ef043a33dcbe..7f03aacdb8c90 100644 --- a/src/plugins/data/common/search/expressions/esaggs/esaggs_fn.ts +++ b/src/plugins/data/common/search/expressions/esaggs/esaggs_fn.ts @@ -13,7 +13,7 @@ import type { Datatable, ExpressionFunctionDefinition } from '@kbn/expressions-p import { buildExpressionFunction } from '@kbn/expressions-plugin/common'; import { IndexPatternExpressionType } from '@kbn/data-views-plugin/common/expressions'; -import { IndexPatternsContract } from '../../..'; +import { DataViewsContract } from '@kbn/data-views-plugin/common'; import { AggsStart, AggExpressionType, aggCountFnName } from '../../aggs'; import { ISearchStartSearchSource } from '../../search_source'; @@ -44,7 +44,7 @@ export type EsaggsExpressionFunctionDefinition = ExpressionFunctionDefinition< /** @internal */ export interface EsaggsStartDependencies { aggs: AggsStart; - indexPatterns: IndexPatternsContract; + indexPatterns: DataViewsContract; searchSource: ISearchStartSearchSource; getNow?: () => Date; } diff --git a/src/plugins/data/common/search/expressions/esaggs/request_handler.test.ts b/src/plugins/data/common/search/expressions/esaggs/request_handler.test.ts index eefaf8a9dcd54..e316652da8cbe 100644 --- a/src/plugins/data/common/search/expressions/esaggs/request_handler.test.ts +++ b/src/plugins/data/common/search/expressions/esaggs/request_handler.test.ts @@ -9,10 +9,10 @@ import { from } from 'rxjs'; import type { MockedKeys } from '@kbn/utility-types/jest'; import type { Filter } from '../../../es_query'; -import type { IndexPattern } from '../../..'; import type { IAggConfigs } from '../../aggs'; import type { ISearchSource } from '../../search_source'; import { searchSourceCommonMock, searchSourceInstanceMock } from '../../search_source/mocks'; +import type { DataView } from '@kbn/data-views-plugin/common'; import { handleRequest } from './request_handler'; @@ -40,6 +40,7 @@ describe('esaggs expression function - public', () => { abortSignal: jest.fn() as unknown as jest.Mocked, aggs: { aggs: [{ type: { name: 'terms', postFlightRequest: jest.fn().mockResolvedValue({}) } }], + partialRows: false, setTimeRange: jest.fn(), toDsl: jest.fn().mockReturnValue({ aggs: {} }), onSearchRequestStart: jest.fn(), @@ -47,9 +48,8 @@ describe('esaggs expression function - public', () => { setForceNow: jest.fn(), } as unknown as jest.Mocked, filters: undefined, - indexPattern: { id: 'logstash-*' } as unknown as jest.Mocked, + indexPattern: { id: 'logstash-*' } as unknown as jest.Mocked, inspectorAdapters: {}, - partialRows: false, query: undefined, searchSessionId: 'abc123', searchSourceService: searchSourceCommonMock, @@ -147,7 +147,7 @@ describe('esaggs expression function - public', () => { mockParams.aggs, {}, { - partialRows: mockParams.partialRows, + partialRows: mockParams.aggs.partialRows, timeRange: mockParams.timeRange, } ); diff --git a/src/plugins/data/common/search/expressions/esaggs/request_handler.ts b/src/plugins/data/common/search/expressions/esaggs/request_handler.ts index 4c93667b502c8..8caa93c4461ef 100644 --- a/src/plugins/data/common/search/expressions/esaggs/request_handler.ts +++ b/src/plugins/data/common/search/expressions/esaggs/request_handler.ts @@ -10,8 +10,9 @@ import { i18n } from '@kbn/i18n'; import { defer } from 'rxjs'; import { map, switchMap } from 'rxjs/operators'; import { Adapters } from '@kbn/inspector-plugin/common'; +import type { DataView } from '@kbn/data-views-plugin/common'; -import { calculateBounds, Filter, IndexPattern, Query, TimeRange } from '../../..'; +import { calculateBounds, Filter, Query, TimeRange } from '../../..'; import { IAggConfigs } from '../../aggs'; import { ISearchStartSearchSource } from '../../search_source'; @@ -21,10 +22,8 @@ interface RequestHandlerParams { abortSignal?: AbortSignal; aggs: IAggConfigs; filters?: Filter[]; - indexPattern?: IndexPattern; + indexPattern?: DataView; inspectorAdapters: Adapters; - metricsAtAllLevels?: boolean; - partialRows?: boolean; query?: Query; searchSessionId?: string; searchSourceService: ISearchStartSearchSource; @@ -40,7 +39,6 @@ export const handleRequest = ({ filters, indexPattern, inspectorAdapters, - partialRows, query, searchSessionId, searchSourceService, @@ -130,7 +128,7 @@ export const handleRequest = ({ const parsedTimeRange = timeRange ? calculateBounds(timeRange, { forceNow }) : null; const tabifyParams = { metricsAtAllLevels: aggs.hierarchical, - partialRows, + partialRows: aggs.partialRows, timeRange: parsedTimeRange ? { from: parsedTimeRange.min, to: parsedTimeRange.max, timeFields: allTimeFields } : undefined, diff --git a/src/plugins/data/common/search/expressions/exists_filter.ts b/src/plugins/data/common/search/expressions/exists_filter.ts index a14deac30fdc8..b98d7d7a38185 100644 --- a/src/plugins/data/common/search/expressions/exists_filter.ts +++ b/src/plugins/data/common/search/expressions/exists_filter.ts @@ -8,9 +8,9 @@ import { i18n } from '@kbn/i18n'; import { ExpressionFunctionDefinition } from '@kbn/expressions-plugin/common'; +import type { DataView } from '@kbn/data-views-plugin/common'; import { buildFilter, FILTERS } from '@kbn/es-query'; import { KibanaField, KibanaFilter } from './kibana_context_type'; -import { IndexPattern } from '../..'; interface Arguments { field: KibanaField; @@ -52,7 +52,7 @@ export const existsFilterFunction: ExpressionFunctionExistsFilter = { return { type: 'kibana_filter', ...buildFilter( - {} as any as IndexPattern, + {} as any as DataView, args.field.spec, FILTERS.EXISTS, args.negate || false, diff --git a/src/plugins/data/common/search/expressions/kibana_context.test.ts b/src/plugins/data/common/search/expressions/kibana_context.test.ts index 3e07366b76c2d..b69809bd9d981 100644 --- a/src/plugins/data/common/search/expressions/kibana_context.test.ts +++ b/src/plugins/data/common/search/expressions/kibana_context.test.ts @@ -89,16 +89,28 @@ describe('kibanaContextFn', () => { } as any); const args = { ...emptyArgs, - q: { - type: 'kibana_query' as 'kibana_query', - language: 'test', - query: { - type: 'test', - match_phrase: { - test: 'something2', + q: [ + { + type: 'kibana_query' as 'kibana_query', + language: 'test', + query: { + type: 'test', + match_phrase: { + test: 'something2', + }, }, }, - }, + { + type: 'kibana_query' as 'kibana_query', + language: 'test', + query: { + type: 'test', + match_phrase: { + test: 'something3', + }, + }, + }, + ], savedSearchId: 'test', }; const input: KibanaContext = { @@ -183,6 +195,16 @@ describe('kibanaContextFn', () => { }, }, }, + { + type: 'kibana_query', + language: 'test', + query: { + type: 'test', + match_phrase: { + test: 'something3', + }, + }, + }, { language: 'kuery', query: { diff --git a/src/plugins/data/common/search/expressions/kibana_context.ts b/src/plugins/data/common/search/expressions/kibana_context.ts index c95e7e99017c0..6183484a57b46 100644 --- a/src/plugins/data/common/search/expressions/kibana_context.ts +++ b/src/plugins/data/common/search/expressions/kibana_context.ts @@ -14,17 +14,17 @@ import { Filter } from '@kbn/es-query'; import { Query, uniqFilters } from '@kbn/es-query'; import { unboxExpressionValue } from '@kbn/expressions-plugin/common'; import { SavedObjectReference } from '@kbn/core/types'; +import { SavedObjectsClientCommon } from '@kbn/data-views-plugin/common'; import { ExecutionContextSearch, KibanaContext, KibanaFilter } from './kibana_context_type'; import { KibanaQueryOutput } from './kibana_context_type'; import { KibanaTimerangeOutput } from './timerange'; -import { SavedObjectsClientCommon } from '../..'; export interface KibanaContextStartDependencies { savedObjectsClient: SavedObjectsClientCommon; } interface Arguments { - q?: KibanaQueryOutput | null; + q?: KibanaQueryOutput[] | null; filters?: KibanaFilter[] | null; timeRange?: KibanaTimerangeOutput | null; savedSearchId?: string | null; @@ -62,8 +62,8 @@ export const getKibanaContextFn = ( args: { q: { types: ['kibana_query', 'null'], + multi: true, aliases: ['query', '_'], - default: null, help: i18n.translate('data.search.functions.kibana_context.q.help', { defaultMessage: 'Specify Kibana free form text query', }), @@ -123,7 +123,7 @@ export const getKibanaContextFn = ( const { savedObjectsClient } = await getStartDependencies(getKibanaRequest); const timeRange = args.timeRange || input?.timeRange; - let queries = mergeQueries(input?.query, args?.q || []); + let queries = mergeQueries(input?.query, args?.q?.filter(Boolean) || []); let filters = [ ...(input?.filters || []), ...((args?.filters?.map(unboxExpressionValue) || []) as Filter[]), diff --git a/src/plugins/data/common/search/expressions/kibana_context_type.ts b/src/plugins/data/common/search/expressions/kibana_context_type.ts index ef6b448ae0f8b..53a443166a57f 100644 --- a/src/plugins/data/common/search/expressions/kibana_context_type.ts +++ b/src/plugins/data/common/search/expressions/kibana_context_type.ts @@ -8,7 +8,7 @@ import { Filter } from '@kbn/es-query'; import { ExpressionValueBoxed, ExpressionValueFilter } from '@kbn/expressions-plugin/common'; import { Query, TimeRange } from '../../query'; -import { adaptToExpressionValueFilter, IndexPatternField } from '../..'; +import { adaptToExpressionValueFilter, DataViewField } from '../..'; // eslint-disable-next-line @typescript-eslint/consistent-type-definitions export type ExecutionContextSearch = { @@ -24,7 +24,7 @@ export type ExpressionValueSearchContext = ExpressionValueBoxed< export type KibanaQueryOutput = ExpressionValueBoxed<'kibana_query', Query>; export type KibanaFilter = ExpressionValueBoxed<'kibana_filter', Filter>; -export type KibanaField = ExpressionValueBoxed<'kibana_field', IndexPatternField>; +export type KibanaField = ExpressionValueBoxed<'kibana_field', DataViewField>; // TODO: These two are exported for legacy reasons - remove them eventually. export type KIBANA_CONTEXT_NAME = 'kibana_context'; diff --git a/src/plugins/data/common/search/expressions/phrase_filter.ts b/src/plugins/data/common/search/expressions/phrase_filter.ts index 175ae44b57128..7ae18f0131984 100644 --- a/src/plugins/data/common/search/expressions/phrase_filter.ts +++ b/src/plugins/data/common/search/expressions/phrase_filter.ts @@ -8,9 +8,9 @@ import { i18n } from '@kbn/i18n'; import { ExpressionFunctionDefinition } from '@kbn/expressions-plugin/common'; +import type { DataView } from '@kbn/data-views-plugin/common'; import { buildFilter, FILTERS } from '@kbn/es-query'; import { KibanaField, KibanaFilter } from './kibana_context_type'; -import { IndexPattern } from '../..'; interface Arguments { field: KibanaField; @@ -62,7 +62,7 @@ export const phraseFilterFunction: ExpressionFunctionPhraseFilter = { return { type: 'kibana_filter', ...buildFilter( - {} as any as IndexPattern, + {} as any as DataView, args.field.spec, FILTERS.PHRASE, args.negate || false, @@ -76,7 +76,7 @@ export const phraseFilterFunction: ExpressionFunctionPhraseFilter = { return { type: 'kibana_filter', ...buildFilter( - {} as any as IndexPattern, + {} as any as DataView, args.field.spec, FILTERS.PHRASES, args.negate || false, diff --git a/src/plugins/data/common/search/expressions/range_filter.ts b/src/plugins/data/common/search/expressions/range_filter.ts index 9fde8b99716f7..8e4c6a1e7e6fd 100644 --- a/src/plugins/data/common/search/expressions/range_filter.ts +++ b/src/plugins/data/common/search/expressions/range_filter.ts @@ -9,8 +9,8 @@ import { i18n } from '@kbn/i18n'; import { ExpressionFunctionDefinition } from '@kbn/expressions-plugin/common'; import { buildFilter, FILTERS } from '@kbn/es-query'; +import type { DataView } from '@kbn/data-views-plugin/common'; import { KibanaField, KibanaFilter } from './kibana_context_type'; -import { IndexPattern } from '../..'; import { KibanaRange } from './range'; interface Arguments { @@ -61,7 +61,7 @@ export const rangeFilterFunction: ExpressionFunctionRangeFilter = { return { type: 'kibana_filter', ...buildFilter( - {} as any as IndexPattern, + {} as any as DataView, args.field.spec, FILTERS.RANGE, args.negate || false, diff --git a/src/plugins/data/common/search/search_source/create_search_source.test.ts b/src/plugins/data/common/search/search_source/create_search_source.test.ts index 9ad2e5c40697c..c67e8a21b4f9a 100644 --- a/src/plugins/data/common/search/search_source/create_search_source.test.ts +++ b/src/plugins/data/common/search/search_source/create_search_source.test.ts @@ -8,18 +8,18 @@ import { createSearchSource as createSearchSourceFactory } from './create_search_source'; import { SearchSourceDependencies } from './search_source'; -import { IIndexPattern } from '../..'; -import { IndexPatternsContract } from '../..'; +import type { DataView, DataViewsContract } from '@kbn/data-views-plugin/common'; import { Filter } from '../../es_query'; describe('createSearchSource', () => { - const indexPatternMock: IIndexPattern = {} as IIndexPattern; - let indexPatternContractMock: jest.Mocked; + const indexPatternMock: DataView = {} as DataView; + let indexPatternContractMock: jest.Mocked; let dependencies: SearchSourceDependencies; let createSearchSource: ReturnType; beforeEach(() => { dependencies = { + aggs: {} as SearchSourceDependencies['aggs'], getConfig: jest.fn(), search: jest.fn(), onResponse: (req, res) => res, @@ -27,7 +27,7 @@ describe('createSearchSource', () => { indexPatternContractMock = { get: jest.fn().mockReturnValue(Promise.resolve(indexPatternMock)), - } as unknown as jest.Mocked; + } as unknown as jest.Mocked; createSearchSource = createSearchSourceFactory(indexPatternContractMock, dependencies); }); diff --git a/src/plugins/data/common/search/search_source/create_search_source.ts b/src/plugins/data/common/search/search_source/create_search_source.ts index 3d2300940ac06..c6093da07b8c2 100644 --- a/src/plugins/data/common/search/search_source/create_search_source.ts +++ b/src/plugins/data/common/search/search_source/create_search_source.ts @@ -6,9 +6,10 @@ * Side Public License, v 1. */ +import { DataViewsContract } from '@kbn/data-views-plugin/common'; import { migrateLegacyQuery } from './migrate_legacy_query'; import { SearchSource, SearchSourceDependencies } from './search_source'; -import { IndexPatternsContract, SerializedSearchSourceFields } from '../..'; +import { SerializedSearchSourceFields } from '../..'; import { SearchSourceFields } from './types'; /** @@ -29,7 +30,7 @@ import { SearchSourceFields } from './types'; * * @public */ export const createSearchSource = ( - indexPatterns: IndexPatternsContract, + indexPatterns: DataViewsContract, searchSourceDependencies: SearchSourceDependencies ) => { const createFields = async (searchSourceFields: SerializedSearchSourceFields = {}) => { diff --git a/src/plugins/data/common/search/search_source/mocks.ts b/src/plugins/data/common/search/search_source/mocks.ts index eb10855460236..17b7235d9ccc6 100644 --- a/src/plugins/data/common/search/search_source/mocks.ts +++ b/src/plugins/data/common/search/search_source/mocks.ts @@ -10,7 +10,7 @@ import { of } from 'rxjs'; import type { MockedKeys } from '@kbn/utility-types/jest'; import { uiSettingsServiceMock } from '@kbn/core/public/mocks'; -import { SearchSource } from './search_source'; +import { SearchSource, SearchSourceDependencies } from './search_source'; import { ISearchStartSearchSource, ISearchSource, SearchSourceFields } from './types'; export const searchSourceInstanceMock: MockedKeys = { @@ -35,6 +35,7 @@ export const searchSourceInstanceMock: MockedKeys = { history: [], getSerializedFields: jest.fn(), serialize: jest.fn(), + toExpressionAst: jest.fn(), }; export const searchSourceCommonMock: jest.Mocked = { @@ -48,6 +49,9 @@ export const searchSourceCommonMock: jest.Mocked = { export const createSearchSourceMock = (fields?: SearchSourceFields, response?: any) => new SearchSource(fields, { + aggs: { + createAggConfigs: jest.fn(), + } as unknown as SearchSourceDependencies['aggs'], getConfig: uiSettingsServiceMock.createStartContract().get, search: jest.fn().mockReturnValue( of( diff --git a/src/plugins/data/common/search/search_source/normalize_sort_request.test.ts b/src/plugins/data/common/search/search_source/normalize_sort_request.test.ts index 689740326ab9d..134886efe9e0c 100644 --- a/src/plugins/data/common/search/search_source/normalize_sort_request.test.ts +++ b/src/plugins/data/common/search/search_source/normalize_sort_request.test.ts @@ -8,7 +8,7 @@ import { normalizeSortRequest } from './normalize_sort_request'; import { SortDirection } from './types'; -import { IIndexPattern } from '../..'; +import type { DataView } from '@kbn/data-views-plugin/common'; describe('SearchSource#normalizeSortRequest', function () { const scriptedField = { @@ -37,7 +37,7 @@ describe('SearchSource#normalizeSortRequest', function () { }; const indexPattern = { fields: [scriptedField, stringScriptedField, booleanScriptedField, murmurScriptedField], - } as IIndexPattern; + } as DataView; it('should return an array', function () { const sortable = { someField: SortDirection.desc }; diff --git a/src/plugins/data/common/search/search_source/normalize_sort_request.ts b/src/plugins/data/common/search/search_source/normalize_sort_request.ts index 3d8f9482d16d9..5744b1fd53801 100644 --- a/src/plugins/data/common/search/search_source/normalize_sort_request.ts +++ b/src/plugins/data/common/search/search_source/normalize_sort_request.ts @@ -6,12 +6,12 @@ * Side Public License, v 1. */ -import { IIndexPattern } from '../..'; +import type { DataView } from '@kbn/data-views-plugin/common'; import { EsQuerySortValue, SortOptions } from './types'; export function normalizeSortRequest( sortObject: EsQuerySortValue | EsQuerySortValue[], - indexPattern: IIndexPattern | string | undefined, + indexPattern: DataView | string | undefined, defaultSortOptions: SortOptions = {} ) { const sortArray: EsQuerySortValue[] = Array.isArray(sortObject) ? sortObject : [sortObject]; @@ -27,7 +27,7 @@ export function normalizeSortRequest( */ function normalize( sortable: EsQuerySortValue, - indexPattern: IIndexPattern | string | undefined, + indexPattern: DataView | string | undefined, defaultSortOptions: any ) { const [[sortField, sortOrder]] = Object.entries(sortable); diff --git a/src/plugins/data/common/search/search_source/search_source.test.ts b/src/plugins/data/common/search/search_source/search_source.test.ts index eb0c786bebb6c..044c6414f96e6 100644 --- a/src/plugins/data/common/search/search_source/search_source.test.ts +++ b/src/plugins/data/common/search/search_source/search_source.test.ts @@ -7,13 +7,16 @@ */ import { lastValueFrom, of, throwError } from 'rxjs'; -import { IndexPattern } from '../..'; +import type { DataView } from '@kbn/data-views-plugin/common'; +import { buildExpression, ExpressionAstExpression } from '@kbn/expressions-plugin/common'; +import type { MockedKeys } from '@kbn/utility-types/jest'; import { SearchSource, SearchSourceDependencies, SortDirection } from '.'; import { AggConfigs, AggTypesRegistryStart } from '../..'; import { mockAggTypesRegistry } from '../aggs/test_helpers'; import { RequestResponder } from '@kbn/inspector-plugin/common'; import { switchMap } from 'rxjs/operators'; import { Filter } from '@kbn/es-query'; +import { stubIndexPattern } from '../../stubs'; const getComputedFields = () => ({ storedFields: [], @@ -26,17 +29,18 @@ const mockSource = { excludes: ['foo-*'] }; const mockSource2 = { excludes: ['bar-*'] }; const indexPattern = { + id: '1234', title: 'foo', fields: [{ name: 'foo-bar' }, { name: 'field1' }, { name: 'field2' }, { name: '_id' }], getComputedFields, getSourceFiltering: () => mockSource, -} as unknown as IndexPattern; +} as unknown as DataView; const indexPattern2 = { title: 'foo', getComputedFields, getSourceFiltering: () => mockSource2, -} as unknown as IndexPattern; +} as unknown as DataView; const fields3 = [{ name: 'foo-bar' }, { name: 'field1' }, { name: 'field2' }]; const indexPattern3 = { @@ -51,7 +55,7 @@ const indexPattern3 = { }, getComputedFields, getSourceFiltering: () => mockSource, -} as unknown as IndexPattern; +} as unknown as DataView; const runtimeFieldDef = { type: 'keyword', @@ -62,10 +66,13 @@ const runtimeFieldDef = { describe('SearchSource', () => { let mockSearchMethod: any; - let searchSourceDependencies: SearchSourceDependencies; + let searchSourceDependencies: MockedKeys; let searchSource: SearchSource; beforeEach(() => { + const aggsMock = { + createAggConfigs: jest.fn(), + } as unknown as jest.Mocked; const getConfigMock = jest .fn() .mockImplementation((param) => param === 'metaFields' && ['_type', '_source', '_id']) @@ -81,6 +88,7 @@ describe('SearchSource', () => { ); searchSourceDependencies = { + aggs: aggsMock, getConfig: getConfigMock, search: mockSearchMethod, onResponse: (req, res) => res, @@ -147,7 +155,7 @@ describe('SearchSource', () => { docvalueFields: ['@timestamp'], runtimeFields, }), - } as unknown as IndexPattern); + } as unknown as DataView); const request = searchSource.getSearchRequestBody(); expect(request.stored_fields).toEqual(['hello']); @@ -164,7 +172,7 @@ describe('SearchSource', () => { scriptFields: {}, docvalueFields: ['@timestamp'], }), - } as unknown as IndexPattern); + } as unknown as DataView); searchSource.setField('fields', ['@timestamp']); searchSource.setField('fieldsFromSource', ['foo']); @@ -180,7 +188,7 @@ describe('SearchSource', () => { scriptFields: {}, docvalueFields: ['hello'], }), - } as unknown as IndexPattern); + } as unknown as DataView); // @ts-expect-error TS won't like using this field name, but technically it's possible. searchSource.setField('docvalue_fields', ['world']); @@ -197,7 +205,7 @@ describe('SearchSource', () => { scriptFields: {}, docvalueFields: [{ field: 'a', format: 'date_time' }], }), - } as unknown as IndexPattern); + } as unknown as DataView); // @ts-expect-error TS won't like using this field name, but technically it's possible. searchSource.setField('docvalue_fields', [{ field: 'b', format: 'date_time' }]); searchSource.setField('fields', ['c']); @@ -223,7 +231,7 @@ describe('SearchSource', () => { scriptFields: {}, docvalueFields: [{ field: 'hello', format: 'date_time' }], }), - } as unknown as IndexPattern); + } as unknown as DataView); searchSource.setField('fields', [{ field: 'hello', format: 'strict_date_time' }]); const request = searchSource.getSearchRequestBody(); @@ -239,7 +247,7 @@ describe('SearchSource', () => { scriptFields: {}, docvalueFields: [{ field: 'hello', format: 'date_time' }], }), - } as unknown as IndexPattern); + } as unknown as DataView); searchSource.setField('fields', ['hello']); const request = searchSource.getSearchRequestBody(); @@ -260,7 +268,7 @@ describe('SearchSource', () => { scriptFields: {}, docvalueFields: [{ field: 'hello', format: 'date_time', a: 'test', b: 'test' }], }), - } as unknown as IndexPattern); + } as unknown as DataView); searchSource.setField('fields', [{ field: 'hello', a: 'a', c: 'c' }]); const request = searchSource.getSearchRequestBody(); @@ -278,7 +286,7 @@ describe('SearchSource', () => { scriptFields: { hello: {} }, docvalueFields: [], }), - } as unknown as IndexPattern); + } as unknown as DataView); // @ts-expect-error TS won't like using this field name, but technically it's possible. searchSource.setField('script_fields', { world: {} }); @@ -298,7 +306,7 @@ describe('SearchSource', () => { scriptFields: { hello: {} }, docvalueFields: [], }), - } as unknown as IndexPattern); + } as unknown as DataView); searchSource.setField('fields', ['hello', 'a', { field: 'c' }]); const request = searchSource.getSearchRequestBody(); @@ -314,7 +322,7 @@ describe('SearchSource', () => { scriptFields: { hello: {} }, docvalueFields: [], }), - } as unknown as IndexPattern); + } as unknown as DataView); searchSource.setField('fields', ['hello', 'a', { foo: 'c' }]); const request = searchSource.getSearchRequestBody(); @@ -330,7 +338,7 @@ describe('SearchSource', () => { scriptFields: { hello: {} }, docvalueFields: [], }), - } as unknown as IndexPattern); + } as unknown as DataView); searchSource.setField('fieldsFromSource', ['hello', 'a']); const request = searchSource.getSearchRequestBody(); @@ -433,7 +441,7 @@ describe('SearchSource', () => { scriptFields: {}, docvalueFields: ['@timestamp', 'exclude-me'], }), - } as unknown as IndexPattern); + } as unknown as DataView); // @ts-expect-error Typings for excludes filters need to be fixed. searchSource.setField('source', { excludes: ['exclude-*'] }); @@ -449,7 +457,7 @@ describe('SearchSource', () => { scriptFields: {}, docvalueFields: ['@timestamp', 'foo-bar', 'foo-baz'], }), - } as unknown as IndexPattern); + } as unknown as DataView); const request = searchSource.getSearchRequestBody(); expect(request.fields).toEqual(['@timestamp']); @@ -463,7 +471,7 @@ describe('SearchSource', () => { scriptFields: { hello: {}, world: {} }, docvalueFields: [], }), - } as unknown as IndexPattern); + } as unknown as DataView); searchSource.setField('fields', ['hello']); const request = searchSource.getSearchRequestBody(); @@ -478,7 +486,7 @@ describe('SearchSource', () => { scriptFields: [], docvalueFields: [], }), - } as unknown as IndexPattern); + } as unknown as DataView); searchSource.setField('fields', [ 'hello', 'foo-bar', @@ -499,7 +507,7 @@ describe('SearchSource', () => { scriptFields: [], docvalueFields: [], }), - } as unknown as IndexPattern); + } as unknown as DataView); searchSource.setField('fields', ['*']); const request = searchSource.getSearchRequestBody(); @@ -514,7 +522,7 @@ describe('SearchSource', () => { scriptFields: [], docvalueFields: [], }), - } as unknown as IndexPattern); + } as unknown as DataView); searchSource.setField('fields', [{ field: '*', include_unmapped: 'true' }]); const request = searchSource.getSearchRequestBody(); @@ -529,7 +537,7 @@ describe('SearchSource', () => { scriptFields: [], docvalueFields: [], }), - } as unknown as IndexPattern); + } as unknown as DataView); searchSource.setField('fields', [{ field: '*', include_unmapped: 'true' }]); const request = searchSource.getSearchRequestBody(); @@ -551,7 +559,7 @@ describe('SearchSource', () => { scriptFields: { hello: {}, world: {} }, docvalueFields: [], }), - } as unknown as IndexPattern); + } as unknown as DataView); searchSource.setField('fields', ['timestamp', '*']); const request = searchSource.getSearchRequestBody(); @@ -568,7 +576,7 @@ describe('SearchSource', () => { scriptFields: { hello: {}, world: {} }, docvalueFields: ['@timestamp'], }), - } as unknown as IndexPattern); + } as unknown as DataView); searchSource.setField('fieldsFromSource', [ 'hello', 'world', @@ -592,7 +600,7 @@ describe('SearchSource', () => { scriptFields: { hello: {}, world: {} }, docvalueFields: ['@timestamp', 'date'], }), - } as unknown as IndexPattern); + } as unknown as DataView); searchSource.setField('fields', ['hello', '@timestamp', 'foo-a', 'bar']); const request = searchSource.getSearchRequestBody(); @@ -611,7 +619,7 @@ describe('SearchSource', () => { docvalueFields: ['@timestamp', 'date'], runtimeFields, }), - } as unknown as IndexPattern); + } as unknown as DataView); searchSource.setField('fieldsFromSource', [ 'hello', '@timestamp', @@ -638,7 +646,7 @@ describe('SearchSource', () => { scriptFields: { hello: {}, world: {} }, docvalueFields: ['@timestamp', 'date', 'time'], }), - } as unknown as IndexPattern); + } as unknown as DataView); searchSource.setField('fields', ['hello', '@timestamp', 'foo-a', 'bar']); searchSource.setField('fieldsFromSource', ['foo-b', 'date', 'baz']); @@ -665,7 +673,7 @@ describe('SearchSource', () => { getByType: () => [{ name: '@timestamp', esTypes: ['date_nanos'] }], }, getSourceFiltering: () => ({ excludes: [] }), - } as unknown as IndexPattern); + } as unknown as DataView); searchSource.setField('fields', ['*']); const request = searchSource.getSearchRequestBody(); @@ -693,7 +701,7 @@ describe('SearchSource', () => { }), fields: indexPatternFields, getSourceFiltering: () => ({ excludes: ['custom_date'] }), - } as unknown as IndexPattern); + } as unknown as DataView); searchSource.setField('fields', ['*']); const request = searchSource.getSearchRequestBody(); @@ -796,7 +804,7 @@ describe('SearchSource', () => { describe('#serialize', () => { test('should reference index patterns', () => { - const indexPattern123 = { id: '123' } as IndexPattern; + const indexPattern123 = { id: '123' } as DataView; searchSource.setField('index', indexPattern123); const { searchSourceJSON, references } = searchSource.serialize(); expect(references[0].id).toEqual('123'); @@ -838,7 +846,7 @@ describe('SearchSource', () => { }); test('should reference index patterns in filters separately from index field', () => { - const indexPattern123 = { id: '123' } as IndexPattern; + const indexPattern123 = { id: '123' } as DataView; searchSource.setField('index', indexPattern123); const filter = [ { @@ -874,7 +882,7 @@ describe('SearchSource', () => { scriptFields: {}, docvalueFields: [], }), - } as unknown as IndexPattern); + } as unknown as DataView); const request = searchSource.getSearchRequestBody(); expect(request.stored_fields).toEqual(['geometry', 'prop1']); expect(request.docvalue_fields).toEqual(['prop1']); @@ -896,7 +904,7 @@ describe('SearchSource', () => { ]; test('should return serialized fields', () => { - const indexPattern123 = { id: '123' } as IndexPattern; + const indexPattern123 = { id: '123' } as DataView; searchSource.setField('index', indexPattern123); searchSource.setField('filter', () => { return filter; @@ -928,7 +936,7 @@ describe('SearchSource', () => { }); test('should support nested search sources', () => { - const indexPattern123 = { id: '123' } as IndexPattern; + const indexPattern123 = { id: '123' } as DataView; searchSource.setField('index', indexPattern123); searchSource.setField('from', 123); const childSearchSource = searchSource.createChild(); @@ -1309,4 +1317,145 @@ describe('SearchSource', () => { }); }); }); + + describe('#toExpressionAst()', () => { + function toString(ast: ExpressionAstExpression) { + return buildExpression(ast).toString(); + } + + test('should generate an expression AST', () => { + expect(toString(searchSource.toExpressionAst())).toMatchInlineSnapshot(` + "kibana_context + | esdsl dsl=\\"{}\\"" + `); + }); + + test('should generate query argument', () => { + searchSource.setField('query', { language: 'kuery', query: 'something' }); + + expect(toString(searchSource.toExpressionAst())).toMatchInlineSnapshot(` + "kibana_context q={kql q=\\"something\\"} + | esdsl dsl=\\"{}\\"" + `); + }); + + test('should generate filters argument', () => { + const filter1 = { + query: { query_string: { query: 'query1' } }, + meta: {}, + }; + const filter2 = { + query: { query_string: { query: 'query2' } }, + meta: {}, + }; + searchSource.setField('filter', [filter1, filter2]); + + expect(toString(searchSource.toExpressionAst())).toMatchInlineSnapshot(` + "kibana_context filters={kibanaFilter query=\\"{\\\\\\"query_string\\\\\\":{\\\\\\"query\\\\\\":\\\\\\"query1\\\\\\"}}\\"} + filters={kibanaFilter query=\\"{\\\\\\"query_string\\\\\\":{\\\\\\"query\\\\\\":\\\\\\"query2\\\\\\"}}\\"} + | esdsl dsl=\\"{}\\"" + `); + }); + + test('should resolve filters if set as a function', () => { + const filter = { + query: { query_string: { query: 'query' } }, + meta: {}, + }; + searchSource.setField('filter', () => filter); + + expect(toString(searchSource.toExpressionAst())).toMatchInlineSnapshot(` + "kibana_context filters={kibanaFilter query=\\"{\\\\\\"query_string\\\\\\":{\\\\\\"query\\\\\\":\\\\\\"query\\\\\\"}}\\"} + | esdsl dsl=\\"{}\\"" + `); + }); + + test('should merge properties from parent search sources', () => { + const filter1 = { + query: { query_string: { query: 'query1' } }, + meta: {}, + }; + const filter2 = { + query: { query_string: { query: 'query2' } }, + meta: {}, + }; + searchSource.setField('query', { language: 'kuery', query: 'something1' }); + searchSource.setField('filter', filter1); + + const childSearchSource = searchSource.createChild(); + childSearchSource.setField('query', { language: 'kuery', query: 'something2' }); + childSearchSource.setField('filter', filter2); + + expect(toString(childSearchSource.toExpressionAst())).toMatchInlineSnapshot(` + "kibana_context q={kql q=\\"something2\\"} q={kql q=\\"something1\\"} filters={kibanaFilter query=\\"{\\\\\\"query_string\\\\\\":{\\\\\\"query\\\\\\":\\\\\\"query2\\\\\\"}}\\"} + filters={kibanaFilter query=\\"{\\\\\\"query_string\\\\\\":{\\\\\\"query\\\\\\":\\\\\\"query1\\\\\\"}}\\"} + | esdsl dsl=\\"{}\\"" + `); + }); + + test('should include a data view identifier', () => { + searchSource.setField('index', indexPattern); + + expect(toString(searchSource.toExpressionAst())).toMatchInlineSnapshot(` + "kibana_context + | esdsl dsl=\\"{}\\" index=\\"1234\\"" + `); + }); + + test('should include size if present', () => { + searchSource.setField('size', 1000); + + expect(toString(searchSource.toExpressionAst())).toMatchInlineSnapshot(` + "kibana_context + | esdsl size=1000 dsl=\\"{}\\"" + `); + }); + + test('should generate the `esaggs` function if there are aggregations', () => { + const typesRegistry = mockAggTypesRegistry(); + const aggConfigs = new AggConfigs( + stubIndexPattern, + [{ enabled: true, type: 'avg', schema: 'metric', params: { field: 'bytes' } }], + { typesRegistry } + ); + searchSource.setField('aggs', aggConfigs); + + expect(toString(searchSource.toExpressionAst())).toMatchInlineSnapshot(` + "kibana_context + | esaggs index={indexPatternLoad id=\\"logstash-*\\"} aggs={aggAvg field=\\"bytes\\" id=\\"1\\" enabled=true schema=\\"metric\\"}" + `); + }); + + test('should generate the `esaggs` function if there are aggregations configs', () => { + const typesRegistry = mockAggTypesRegistry(); + searchSourceDependencies.aggs.createAggConfigs.mockImplementationOnce( + (dataView, configs) => new AggConfigs(dataView, configs, { typesRegistry }) + ); + searchSource.setField('index', stubIndexPattern); + searchSource.setField('aggs', [ + { enabled: true, type: 'avg', schema: 'metric', params: { field: 'bytes' } }, + ]); + + expect(toString(searchSource.toExpressionAst())).toMatchInlineSnapshot(` + "kibana_context + | esaggs index={indexPatternLoad id=\\"logstash-*\\"} aggs={aggAvg field=\\"bytes\\" id=\\"1\\" enabled=true schema=\\"metric\\"}" + `); + }); + + test('should not include the `esdsl` function to the chain if the `asDatatable` option is false', () => { + expect(toString(searchSource.toExpressionAst({ asDatatable: false }))).toMatchInlineSnapshot( + `"kibana_context"` + ); + }); + + test('should not include the `esaggs` function to the chain if the `asDatatable` option is false', () => { + searchSource.setField('aggs', [ + { enabled: true, type: 'avg', schema: 'metric', params: { field: 'bytes' } }, + ]); + + expect(toString(searchSource.toExpressionAst({ asDatatable: false }))).toMatchInlineSnapshot( + `"kibana_context"` + ); + }); + }); }); diff --git a/src/plugins/data/common/search/search_source/search_source.ts b/src/plugins/data/common/search/search_source/search_source.ts index 87171a4b54498..cd22127ca2fd7 100644 --- a/src/plugins/data/common/search/search_source/search_source.ts +++ b/src/plugins/data/common/search/search_source/search_source.ts @@ -75,14 +75,16 @@ import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import { buildEsQuery, Filter } from '@kbn/es-query'; import { fieldWildcardFilter } from '@kbn/kibana-utils-plugin/common'; import { getHighlightRequest } from '@kbn/field-formats-plugin/common'; -import { normalizeSortRequest } from './normalize_sort_request'; +import type { DataView } from '@kbn/data-views-plugin/common'; import { - AggConfigSerialized, - IIndexPattern, - IndexPattern, - IndexPatternField, - SerializedSearchSourceFields, -} from '../..'; + ExpressionAstExpression, + buildExpression, + buildExpressionFunction, +} from '@kbn/expressions-plugin/common'; +import { normalizeSortRequest } from './normalize_sort_request'; + +import { AggConfigSerialized, DataViewField, SerializedSearchSourceFields } from '../..'; + import { AggConfigs, EsQuerySortValue, @@ -107,7 +109,14 @@ import { isPartialResponse, UI_SETTINGS, } from '../..'; +import { AggsStart } from '../aggs'; import { extractReferences } from './extract_references'; +import { + EsdslExpressionFunctionDefinition, + ExpressionFunctionKibanaContext, + filtersToAst, + queryToAst, +} from '../expressions'; /** @internal */ export const searchSourceRequiredUiSettings = [ @@ -125,9 +134,19 @@ export const searchSourceRequiredUiSettings = [ ]; export interface SearchSourceDependencies extends FetchHandlers { + aggs: AggsStart; search: ISearchGeneric; } +interface ExpressionAstOptions { + /** + * When truthy, it will include either `esaggs` or `esdsl` function to the expression chain. + * In this case, the expression will perform a search and return the `datatable` structure. + * @default true + */ + asDatatable?: boolean; +} + /** @public **/ export class SearchSource { private id: string = uniqueId('data_source'); @@ -625,7 +644,7 @@ export class SearchSource { return searchRequest; } - private getIndexType(index?: IIndexPattern) { + private getIndexType(index?: DataView) { return this.shouldOverwriteDataViewType ? this.overwriteDataViewType : index?.type; } @@ -633,7 +652,7 @@ export class SearchSource { typeof fld === 'string' ? fld : fld.field; private getFieldsWithoutSourceFilters( - index: IndexPattern | undefined, + index: DataView | undefined, bodyFields: SearchFieldValue[] ) { if (!index) { @@ -661,14 +680,14 @@ export class SearchSource { } // we need to get the list of fields from an index pattern return fields - .filter((fld: IndexPatternField) => filterSourceFields(fld.name)) - .map((fld: IndexPatternField) => ({ field: fld.name })); + .filter((fld: DataViewField) => filterSourceFields(fld.name)) + .map((fld: DataViewField) => ({ field: fld.name })); } private getFieldFromDocValueFieldsOrIndexPattern( docvaluesIndex: Record, fld: SearchFieldValue, - index?: IndexPattern + index?: DataView ) { if (typeof fld === 'string') { return fld; @@ -925,4 +944,54 @@ export class SearchSource { return [filterField]; } + + /** + * Generates an expression abstract syntax tree using the fields set in the current search source and its ancestors. + * The produced expression from the returned AST will return the `datatable` structure. + * If the `asDatatable` option is truthy or omitted, the generator will use the `esdsl` function to perform the search. + * When the `aggs` field is present, it will use the `esaggs` function instead. + * @returns The expression AST. + */ + toExpressionAst({ asDatatable = true }: ExpressionAstOptions = {}): ExpressionAstExpression { + const searchRequest = this.mergeProps(); + const { body, index, query } = searchRequest; + + const filters = ( + typeof searchRequest.filters === 'function' ? searchRequest.filters() : searchRequest.filters + ) as Filter[] | Filter | undefined; + const ast = buildExpression([ + buildExpressionFunction('kibana_context', { + q: query?.map(queryToAst), + filters: filters && filtersToAst(filters), + }), + ]).toAst(); + + if (!asDatatable) { + return ast; + } + + const aggsField = this.getField('aggs'); + const aggs = (typeof aggsField === 'function' ? aggsField() : aggsField) as + | AggConfigs + | AggConfigSerialized[] + | undefined; + const aggConfigs = + aggs instanceof AggConfigs + ? aggs + : index && aggs && this.dependencies.aggs.createAggConfigs(index, aggs); + + if (aggConfigs) { + ast.chain.push(...aggConfigs.toExpressionAst().chain); + } else { + ast.chain.push( + buildExpressionFunction('esdsl', { + size: body?.size, + dsl: JSON.stringify({}), + index: index?.id, + }).toAst() + ); + } + + return ast; + } } diff --git a/src/plugins/data/common/search/search_source/search_source_service.test.ts b/src/plugins/data/common/search/search_source/search_source_service.test.ts index d6b06bb22288e..70448db335a07 100644 --- a/src/plugins/data/common/search/search_source/search_source_service.test.ts +++ b/src/plugins/data/common/search/search_source/search_source_service.test.ts @@ -6,7 +6,7 @@ * Side Public License, v 1. */ -import { IndexPatternsContract } from '../..'; +import { DataViewsContract } from '@kbn/data-views-plugin/common'; import { SearchSourceService, SearchSourceDependencies } from '.'; describe('SearchSource service', () => { @@ -15,6 +15,7 @@ describe('SearchSource service', () => { beforeEach(() => { jest.resetModules(); dependencies = { + aggs: {} as SearchSourceDependencies['aggs'], getConfig: jest.fn(), search: jest.fn(), onResponse: jest.fn(), @@ -24,7 +25,7 @@ describe('SearchSource service', () => { describe('start()', () => { test('exposes proper contract', () => { const start = new SearchSourceService().start( - jest.fn() as unknown as jest.Mocked, + jest.fn() as unknown as jest.Mocked, dependencies ); diff --git a/src/plugins/data/common/search/search_source/search_source_service.ts b/src/plugins/data/common/search/search_source/search_source_service.ts index e87f589044f9a..bf2f119f27e75 100644 --- a/src/plugins/data/common/search/search_source/search_source_service.ts +++ b/src/plugins/data/common/search/search_source/search_source_service.ts @@ -11,6 +11,7 @@ import { mergeMigrationFunctionMaps, MigrateFunctionsObject, } from '@kbn/kibana-utils-plugin/common'; +import { DataViewsContract } from '@kbn/data-views-plugin/common'; import { createSearchSource, extractReferences, @@ -19,7 +20,6 @@ import { SearchSourceDependencies, SerializedSearchSourceFields, } from '.'; -import { IndexPatternsContract } from '../..'; import { getAllMigrations as filtersGetAllMigrations } from '../../query/filters/persistable_state'; const getAllMigrations = (): MigrateFunctionsObject => { @@ -42,7 +42,7 @@ export class SearchSourceService { return { getAllMigrations }; } - public start(indexPatterns: IndexPatternsContract, dependencies: SearchSourceDependencies) { + public start(indexPatterns: DataViewsContract, dependencies: SearchSourceDependencies) { return { /** * creates searchsource based on serialized search source fields diff --git a/src/plugins/data/common/search/search_source/types.ts b/src/plugins/data/common/search/search_source/types.ts index a3cd83f6ba67a..3861ef18da6ce 100644 --- a/src/plugins/data/common/search/search_source/types.ts +++ b/src/plugins/data/common/search/search_source/types.ts @@ -9,11 +9,11 @@ import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import { SerializableRecord } from '@kbn/utility-types'; import { PersistableStateService } from '@kbn/kibana-utils-plugin/common'; +import type { DataView } from '@kbn/data-views-plugin/common'; // eslint-disable-next-line @kbn/eslint/no-restricted-paths import { AggConfigSerialized, IAggConfigs } from '../../../public'; import { Query } from '../..'; import { Filter } from '../../es_query'; -import { IndexPattern } from '../..'; import type { SearchSource } from './search_source'; /** @@ -111,7 +111,7 @@ export interface SearchSourceFields { /** * {@link IndexPatternService} */ - index?: IndexPattern; + index?: DataView; searchAfter?: EsQuerySearchAfter; timeout?: string; terminate_after?: number; diff --git a/src/plugins/data/common/search/tabify/tabify.test.ts b/src/plugins/data/common/search/tabify/tabify.test.ts index 1f4d23a897c6e..ad0ed41a05328 100644 --- a/src/plugins/data/common/search/tabify/tabify.test.ts +++ b/src/plugins/data/common/search/tabify/tabify.test.ts @@ -7,7 +7,7 @@ */ import { tabifyAggResponse } from './tabify'; -import { IndexPattern } from '../..'; +import type { DataView } from '@kbn/data-views-plugin/common'; import { AggConfigs, BucketAggParam, IAggConfig, IAggConfigs } from '../aggs'; import { mockAggTypesRegistry } from '../aggs/test_helpers'; import { metricOnly, threeTermBuckets } from './fixtures/fake_hierarchical_data'; @@ -30,7 +30,7 @@ describe('tabifyAggResponse Integration', () => { getFormatterForField: () => ({ toJSON: () => '{}', }), - } as unknown as IndexPattern; + } as unknown as DataView; return new AggConfigs(indexPattern, aggs, { typesRegistry }); }; diff --git a/src/plugins/data/common/search/tabify/tabify_docs.test.ts b/src/plugins/data/common/search/tabify/tabify_docs.test.ts index a514275f2d1cf..7cde73b4c1e76 100644 --- a/src/plugins/data/common/search/tabify/tabify_docs.test.ts +++ b/src/plugins/data/common/search/tabify/tabify_docs.test.ts @@ -7,7 +7,7 @@ */ import { tabifyDocs, flattenHit } from './tabify_docs'; -import { IndexPattern, DataView } from '../..'; +import { DataView } from '@kbn/data-views-plugin/common'; import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import { fieldFormatsMock } from '@kbn/field-formats-plugin/common/mocks'; @@ -127,7 +127,7 @@ describe('tabify_docs', () => { getDefaultInstance: (id: string) => ({ toJSON: () => ({ id }) }), }; - const index = new IndexPattern({ + const index = new DataView({ spec: { id: 'test-index', fields: { diff --git a/src/plugins/data/common/search/tabify/tabify_docs.ts b/src/plugins/data/common/search/tabify/tabify_docs.ts index 97787ba74cf32..29ae739f89f49 100644 --- a/src/plugins/data/common/search/tabify/tabify_docs.ts +++ b/src/plugins/data/common/search/tabify/tabify_docs.ts @@ -9,7 +9,7 @@ import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import { isPlainObject } from 'lodash'; import { Datatable, DatatableColumn, DatatableColumnType } from '@kbn/expressions-plugin/common'; -import { IndexPattern } from '../..'; +import type { DataView } from '@kbn/data-views-plugin/common'; type ValidMetaFieldNames = keyof Pick< estypes.SearchHit, @@ -73,7 +73,7 @@ type Hit = estypes.SearchHit & { ignored_field_values?: Record; function flatten(obj: Record, keyPrefix: string = '') { @@ -170,7 +170,7 @@ export function flattenHit(hit: Hit, indexPattern?: IndexPattern, params?: Tabif export const tabifyDocs = ( esResponse: estypes.SearchResponse, - index?: IndexPattern, + index?: DataView, params: TabifyDocsOptions = {} ): Datatable => { const columns: DatatableColumn[] = []; diff --git a/src/plugins/data/common/search/types.ts b/src/plugins/data/common/search/types.ts index bb6788fd1781b..2064273c3f488 100644 --- a/src/plugins/data/common/search/types.ts +++ b/src/plugins/data/common/search/types.ts @@ -8,7 +8,8 @@ import type { KibanaExecutionContext } from '@kbn/core/public'; import { Observable } from 'rxjs'; import type { RequestAdapter } from '@kbn/inspector-plugin/common'; -import { IEsSearchRequest, IEsSearchResponse, IndexPattern } from '..'; +import type { DataView } from '@kbn/data-views-plugin/common'; +import { IEsSearchRequest, IEsSearchResponse } from '..'; export type ISearchGeneric = < SearchStrategyRequest extends IKibanaSearchRequest = IEsSearchRequest, @@ -133,7 +134,7 @@ export interface ISearchOptions { /** * Index pattern reference is used for better error messages */ - indexPattern?: IndexPattern; + indexPattern?: DataView; /** * Inspector integration options diff --git a/src/plugins/data/public/actions/filters/create_filters_from_range_select.test.ts b/src/plugins/data/public/actions/filters/create_filters_from_range_select.test.ts index a217e580ad608..bee22e07ab144 100644 --- a/src/plugins/data/public/actions/filters/create_filters_from_range_select.test.ts +++ b/src/plugins/data/public/actions/filters/create_filters_from_range_select.test.ts @@ -10,7 +10,7 @@ import moment from 'moment'; import { createFiltersFromRangeSelectAction } from './create_filters_from_range_select'; -import { IndexPatternsContract } from '../..'; +import { DataViewsContract } from '@kbn/data-views-plugin/common'; import { dataPluginMock } from '../../mocks'; import { setIndexPatterns, setSearchService } from '../../services'; import { FieldFormatsGetConfigFn } from '@kbn/field-formats-plugin/common'; @@ -58,7 +58,7 @@ describe('brushEvent', () => { setIndexPatterns({ ...dataStart.indexPatterns, get: async () => indexPattern, - } as unknown as IndexPatternsContract); + } as unknown as DataViewsContract); baseEvent = { column: 0, diff --git a/src/plugins/data/public/actions/filters/create_filters_from_range_select.ts b/src/plugins/data/public/actions/filters/create_filters_from_range_select.ts index 0b07194cd9bbc..bcfdf46772dc5 100644 --- a/src/plugins/data/public/actions/filters/create_filters_from_range_select.ts +++ b/src/plugins/data/public/actions/filters/create_filters_from_range_select.ts @@ -9,7 +9,8 @@ import { last } from 'lodash'; import moment from 'moment'; import { Datatable } from '@kbn/expressions-plugin'; -import { esFilters, IFieldType, RangeFilterParams } from '../..'; +import { DataViewFieldBase } from '@kbn/es-query'; +import { esFilters, RangeFilterParams } from '../..'; import { getIndexPatterns, getSearchService } from '../../services'; import { AggConfigSerialized } from '../../../common/search/aggs'; @@ -33,7 +34,7 @@ export async function createFiltersFromRangeSelectAction(event: RangeSelectDataC aggConfigs as AggConfigSerialized, ]); const aggConfig = aggConfigsInstance.aggs[0]; - const field: IFieldType = aggConfig.params.field; + const field: DataViewFieldBase = aggConfig.params.field; if (!field || event.range.length <= 1) { return []; diff --git a/src/plugins/data/public/actions/filters/create_filters_from_value_click.test.ts b/src/plugins/data/public/actions/filters/create_filters_from_value_click.test.ts index 1132edabb2b3f..4bb80fe64134b 100644 --- a/src/plugins/data/public/actions/filters/create_filters_from_value_click.test.ts +++ b/src/plugins/data/public/actions/filters/create_filters_from_value_click.test.ts @@ -6,7 +6,7 @@ * Side Public License, v 1. */ -import { IndexPatternsContract } from '../..'; +import { DataViewsContract } from '@kbn/data-views-plugin/common'; import { dataPluginMock } from '../../mocks'; import { setIndexPatterns, setSearchService } from '../../services'; import { createFiltersFromValueClickAction } from './create_filters_from_value_click'; @@ -68,7 +68,7 @@ describe('createFiltersFromValueClick', () => { }, getFormatterForField: () => new BytesFormat({}, (() => {}) as FieldFormatsGetConfigFn), }), - } as unknown as IndexPatternsContract); + } as unknown as DataViewsContract); }); test('ignores event when value for rows is not provided', async () => { diff --git a/src/plugins/data/public/deprecated.ts b/src/plugins/data/public/deprecated.ts index ac8f273eb7203..5f4705a9a5a4b 100644 --- a/src/plugins/data/public/deprecated.ts +++ b/src/plugins/data/public/deprecated.ts @@ -49,38 +49,20 @@ import { COMPARE_ALL_OPTIONS, onlyDisabledFiltersChanged, getEsQueryConfig, + TimeRange, } from '../common'; import { getDisplayValueFromFilter, generateFilters, - extractTimeRange, - changeTimeFilter as oldChangeTimeFilter, mapAndFlattenFilters as oldMapAndFlattenFilters, - extractTimeFilter as oldExtractTimeFilter, - convertRangeFilterToTimeRangeString as oldConvertRangeFilterToTimeRangeString, } from './query'; -/** - * @deprecated This import will be removed. - * @removeBy 8.1 - */ -const changeTimeFilter = oldChangeTimeFilter; /** * @deprecated This import will be removed. * @removeBy 8.1 */ const mapAndFlattenFilters = oldMapAndFlattenFilters; -/** - * @deprecated This import will be removed. - * @removeBy 8.1 - */ -const extractTimeFilter = oldExtractTimeFilter; -/** - * @deprecated This import will be removed. - * @removeBy 8.1 - */ -const convertRangeFilterToTimeRangeString = oldConvertRangeFilterToTimeRangeString; /** * Filter helpers namespace: @@ -117,11 +99,7 @@ export const esFilters = { generateFilters, onlyDisabledFiltersChanged, - changeTimeFilter, - convertRangeFilterToTimeRangeString, mapAndFlattenFilters, - extractTimeFilter, - extractTimeRange, }; /** @@ -135,6 +113,7 @@ export type { PhraseFilter, MatchAllFilter, EsQueryConfig, + TimeRange, }; export { isFilters }; diff --git a/src/plugins/data/public/index.ts b/src/plugins/data/public/index.ts index e831dd9e7bdbf..b5f411343c79b 100644 --- a/src/plugins/data/public/index.ts +++ b/src/plugins/data/public/index.ts @@ -23,7 +23,6 @@ export { getDisplayValueFromFilter, getFieldDisplayValueFromFilter, generateFilters, - extractTimeRange, getIndexPatternFromFilter, } from './query'; @@ -75,13 +74,9 @@ export const indexPatterns = { validate: validateDataView, }; -export type { IndexPatternsContract, DataViewsContract, TypeMeta } from './data_views'; -export { IndexPattern, IndexPatternField } from './data_views'; +export type { DataViewsContract, TypeMeta } from './data_views'; export type { - IIndexPattern, - IFieldType, - IndexPatternAttributes, AggregationRestrictions as IndexPatternAggRestrictions, IndexPatternLoadExpressionFunctionDefinition, GetFieldsOptions, diff --git a/src/plugins/data/public/query/filter_manager/lib/generate_filters.ts b/src/plugins/data/public/query/filter_manager/lib/generate_filters.ts index 58f5cf8e52c91..e0d29a560a436 100644 --- a/src/plugins/data/public/query/filter_manager/lib/generate_filters.ts +++ b/src/plugins/data/public/query/filter_manager/lib/generate_filters.ts @@ -17,9 +17,10 @@ import { buildFilter, FilterStateStore, FILTERS, + DataViewFieldBase, } from '@kbn/es-query'; +import type { DataView } from '@kbn/data-views-plugin/common'; -import { IFieldType, IIndexPattern } from '../../../../common'; import { FilterManager } from '../filter_manager'; function getExistingFilter( @@ -68,7 +69,7 @@ function updateExistingFilter(existingFilter: Filter, negate: boolean) { */ export function generateFilters( filterManager: FilterManager, - field: IFieldType | string, + field: DataViewFieldBase | string, values: any, operation: string, index: string @@ -80,7 +81,7 @@ export function generateFilters( : { name: field, } - ) as IFieldType; + ) as DataViewFieldBase; const fieldName = fieldObj.name; const newFilters: Filter[] = []; const appFilters = filterManager.getAppFilters(); @@ -97,7 +98,7 @@ export function generateFilters( } else if (fieldObj.type?.includes('range') && value && typeof value === 'object') { // When dealing with range fields, the filter type depends on the data passed in. If it's an // object we assume that it's a min/max value - const tmpIndexPattern = { id: index } as IIndexPattern; + const tmpIndexPattern = { id: index } as DataView; filter = buildFilter( tmpIndexPattern, @@ -110,10 +111,11 @@ export function generateFilters( FilterStateStore.APP_STATE ); } else { - const tmpIndexPattern = { id: index } as IIndexPattern; + const tmpIndexPattern = { id: index } as DataView; // exists filter special case: fieldname = '_exists' and value = fieldname const filterType = fieldName === '_exists_' ? FILTERS.EXISTS : FILTERS.PHRASE; - const actualFieldObj = fieldName === '_exists_' ? ({ name: value } as IFieldType) : fieldObj; + const actualFieldObj = + fieldName === '_exists_' ? ({ name: value } as DataViewFieldBase) : fieldObj; // Fix for #7189 - if value is empty, phrase filters become exists filters. const isNullFilter = value === null || value === undefined; diff --git a/src/plugins/data/public/query/filter_manager/lib/mappers/map_exists.test.ts b/src/plugins/data/public/query/filter_manager/lib/mappers/map_exists.test.ts index 3c53ee2943350..6cac5352af016 100644 --- a/src/plugins/data/public/query/filter_manager/lib/mappers/map_exists.test.ts +++ b/src/plugins/data/public/query/filter_manager/lib/mappers/map_exists.test.ts @@ -8,25 +8,22 @@ import { mapExists } from './map_exists'; import { mapQueryString } from './map_query_string'; -import { - IIndexPattern, - IFieldType, - buildExistsFilter, - buildEmptyFilter, -} from '../../../../../common'; +import { buildExistsFilter, buildEmptyFilter } from '../../../../../common'; +import { DataViewFieldBase } from '@kbn/es-query'; +import type { DataView } from '@kbn/data-views-plugin/common'; describe('filter manager utilities', () => { describe('mapExists()', () => { - let indexPattern: IIndexPattern; + let indexPattern: DataView; beforeEach(() => { indexPattern = { id: 'index', - } as IIndexPattern; + } as DataView; }); test('should return the key and value for matching filters', async () => { - const filter = buildExistsFilter({ name: '_type' } as IFieldType, indexPattern); + const filter = buildExistsFilter({ name: '_type' } as DataViewFieldBase, indexPattern); const result = mapExists(filter); expect(result).toHaveProperty('key', '_type'); diff --git a/src/plugins/data/public/query/query_service.ts b/src/plugins/data/public/query/query_service.ts index 5eb24846c3578..07511c8acec19 100644 --- a/src/plugins/data/public/query/query_service.ts +++ b/src/plugins/data/public/query/query_service.ts @@ -11,6 +11,7 @@ import { HttpStart, IUiSettingsClient } from '@kbn/core/public'; import { PersistableStateService, VersionedState } from '@kbn/kibana-utils-plugin/common'; import { IStorageWrapper } from '@kbn/kibana-utils-plugin/public'; import { buildEsQuery } from '@kbn/es-query'; +import type { DataView } from '@kbn/data-views-plugin/common'; import { FilterManager } from './filter_manager'; import { createAddToQueryLog } from './lib'; import type { TimefilterSetup } from './timefilter'; @@ -26,7 +27,6 @@ import { QueryStringManager } from './query_string'; import { getEsQueryConfig, TimeRange } from '../../common'; import { getUiSettings } from '../services'; import { NowProviderInternalContract } from '../now_provider'; -import { IndexPattern } from '..'; import { extract, getAllMigrations, @@ -67,7 +67,7 @@ export interface QueryStart extends PersistableStateService { // TODO: type explicitly savedQueries: ReturnType; // TODO: type explicitly - getEsQuery(indexPattern: IndexPattern, timeRange?: TimeRange): ReturnType; + getEsQuery(indexPattern: DataView, timeRange?: TimeRange): ReturnType; } /** @@ -120,7 +120,7 @@ export class QueryService implements PersistableStateService { state$: this.state$, getState: () => this.getQueryState(), timefilter: this.timefilter, - getEsQuery: (indexPattern: IndexPattern, timeRange?: TimeRange) => { + getEsQuery: (indexPattern: DataView, timeRange?: TimeRange) => { const timeFilter = this.timefilter.timefilter.createFilter(indexPattern, timeRange); return buildEsQuery( diff --git a/src/plugins/data/public/query/timefilter/index.ts b/src/plugins/data/public/query/timefilter/index.ts index 604213054fd02..8d05b56f05038 100644 --- a/src/plugins/data/public/query/timefilter/index.ts +++ b/src/plugins/data/public/query/timefilter/index.ts @@ -14,6 +14,4 @@ export type { TimefilterContract, AutoRefreshDoneFn } from './timefilter'; export { Timefilter } from './timefilter'; export type { TimeHistoryContract } from './time_history'; export { TimeHistory } from './time_history'; -export { changeTimeFilter, convertRangeFilterToTimeRangeString } from './lib/change_time_filter'; -export { extractTimeFilter, extractTimeRange } from './lib/extract_time_filter'; export { validateTimeRange } from './lib/validate_timerange'; diff --git a/src/plugins/data/public/query/timefilter/lib/change_time_filter.test.ts b/src/plugins/data/public/query/timefilter/lib/change_time_filter.test.ts deleted file mode 100644 index 3d8985820f40d..0000000000000 --- a/src/plugins/data/public/query/timefilter/lib/change_time_filter.test.ts +++ /dev/null @@ -1,51 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { changeTimeFilter } from './change_time_filter'; -import { timefilterServiceMock } from '../timefilter_service.mock'; -import { TimeRange, RangeFilter } from '../../../../common'; - -const timefilterMock = timefilterServiceMock.createSetupContract(); -const timefilter = timefilterMock.timefilter; - -let _time: TimeRange | undefined; - -timefilter.setTime.mockImplementation((time: any) => { - _time = { - from: time.from.toISOString(), - to: time.to.toISOString(), - }; -}); -timefilter.getTime.mockImplementation(() => { - return _time!; -}); - -describe('changeTimeFilter()', () => { - const gt = 1388559600000; - const lt = 1388646000000; - - test('should change the timefilter to match the range gt/lt', () => { - const filter: any = { query: { range: { '@timestamp': { gt, lt } } } }; - changeTimeFilter(timefilter, filter as RangeFilter); - - const { to, from } = timefilter.getTime(); - - expect(to).toBe(new Date(lt).toISOString()); - expect(from).toBe(new Date(gt).toISOString()); - }); - - test('should change the timefilter to match the range gte/lte', () => { - const filter: any = { query: { range: { '@timestamp': { gte: gt, lte: lt } } } }; - changeTimeFilter(timefilter, filter as RangeFilter); - - const { to, from } = timefilter.getTime(); - - expect(to).toBe(new Date(lt).toISOString()); - expect(from).toBe(new Date(gt).toISOString()); - }); -}); diff --git a/src/plugins/data/public/query/timefilter/timefilter.ts b/src/plugins/data/public/query/timefilter/timefilter.ts index d4ceb83940d27..c0fddfb3bd608 100644 --- a/src/plugins/data/public/query/timefilter/timefilter.ts +++ b/src/plugins/data/public/query/timefilter/timefilter.ts @@ -10,6 +10,7 @@ import _ from 'lodash'; import { Subject, BehaviorSubject } from 'rxjs'; import moment from 'moment'; import { PublicMethodsOf } from '@kbn/utility-types'; +import type { DataView } from '@kbn/data-views-plugin/common'; import { areRefreshIntervalsDifferent, areTimeRangesDifferent } from './lib/diff_time_picker_vals'; import type { TimefilterConfig, InputTimeRange, TimeRangeBounds } from './types'; import { NowProviderInternalContract } from '../../now_provider'; @@ -18,7 +19,6 @@ import { getAbsoluteTimeRange, getTime, getRelativeTime, - IIndexPattern, RefreshInterval, TimeRange, } from '../../../common'; @@ -204,7 +204,7 @@ export class Timefilter { * * One use case is keeping different elements embedded in the same UI in sync. */ - public createFilter = (indexPattern: IIndexPattern, timeRange?: TimeRange) => { + public createFilter = (indexPattern: DataView, timeRange?: TimeRange) => { return getTime(indexPattern, timeRange ? timeRange : this._time, { forceNow: this.nowProvider.get(), }); @@ -218,7 +218,7 @@ export class Timefilter { * * @note Consumers of this function need to ensure that the ES endpoint supports datemath. */ - public createRelativeFilter = (indexPattern: IIndexPattern, timeRange?: TimeRange) => { + public createRelativeFilter = (indexPattern: DataView, timeRange?: TimeRange) => { return getRelativeTime(indexPattern, timeRange ? timeRange : this._time, { forceNow: this.nowProvider.get(), }); diff --git a/src/plugins/data/public/search/aggs/aggs_service.ts b/src/plugins/data/public/search/aggs/aggs_service.ts index 6dc6e3f9c5874..45600b3c35c1c 100644 --- a/src/plugins/data/public/search/aggs/aggs_service.ts +++ b/src/plugins/data/public/search/aggs/aggs_service.ts @@ -11,6 +11,7 @@ import { Subscription } from 'rxjs'; import { IUiSettingsClient } from '@kbn/core/public'; import { ExpressionsServiceSetup } from '@kbn/expressions-plugin/common'; import { FieldFormatsStart } from '@kbn/field-formats-plugin/public'; +import { DataViewsContract } from '@kbn/data-views-plugin/common'; import { calculateBounds, TimeRange } from '../../../common'; import { aggsRequiredUiSettings, @@ -20,7 +21,6 @@ import { AggTypesDependencies, } from '../../../common/search/aggs'; import { AggsSetup, AggsStart } from './types'; -import { IndexPatternsContract } from '../..'; import { NowProviderInternalContract } from '../../now_provider'; /** @@ -59,7 +59,7 @@ export interface AggsSetupDependencies { export interface AggsStartDependencies { fieldFormats: FieldFormatsStart; uiSettings: IUiSettingsClient; - indexPatterns: IndexPatternsContract; + indexPatterns: DataViewsContract; } /** diff --git a/src/plugins/data/public/search/errors/painless_error.tsx b/src/plugins/data/public/search/errors/painless_error.tsx index 0eac061bde364..64f6c586932af 100644 --- a/src/plugins/data/public/search/errors/painless_error.tsx +++ b/src/plugins/data/public/search/errors/painless_error.tsx @@ -11,15 +11,15 @@ import { i18n } from '@kbn/i18n'; import { EuiButton, EuiSpacer, EuiText, EuiCodeBlock } from '@elastic/eui'; import { FormattedMessage } from '@kbn/i18n-react'; import { ApplicationStart } from '@kbn/core/public'; +import type { DataView } from '@kbn/data-views-plugin/common'; import { IEsError, isEsError } from './types'; import { EsError } from './es_error'; import { getRootCause } from './utils'; -import { IndexPattern } from '../..'; export class PainlessError extends EsError { painlessStack?: string; - indexPattern?: IndexPattern; - constructor(err: IEsError, indexPattern?: IndexPattern) { + indexPattern?: DataView; + constructor(err: IEsError, indexPattern?: DataView) { super(err); this.indexPattern = indexPattern; } diff --git a/src/plugins/data/public/search/expressions/esaggs.test.ts b/src/plugins/data/public/search/expressions/esaggs.test.ts index a837c43d1cf1e..33d2ab4a3c1b3 100644 --- a/src/plugins/data/public/search/expressions/esaggs.test.ts +++ b/src/plugins/data/public/search/expressions/esaggs.test.ts @@ -10,7 +10,7 @@ import { omit } from 'lodash'; import { of as mockOf } from 'rxjs'; import type { MockedKeys } from '@kbn/utility-types/jest'; import type { ExecutionContext } from '@kbn/expressions-plugin/public'; -import type { IndexPatternsContract } from '../../../common'; +import { DataViewsContract } from '@kbn/data-views-plugin/common'; import type { ISearchStartSearchSource, KibanaContext, @@ -69,7 +69,7 @@ describe('esaggs expression function - public', () => { } as unknown as jest.Mocked, indexPatterns: { create: jest.fn().mockResolvedValue({}), - } as unknown as jest.Mocked, + } as unknown as jest.Mocked, searchSource: {} as unknown as jest.Mocked, }; getStartDependencies = jest.fn().mockResolvedValue(startDependencies); @@ -112,11 +112,11 @@ describe('esaggs expression function - public', () => { aggs: { foo: 'bar', hierarchical: true, + partialRows: args.partialRows, }, filters: undefined, indexPattern: {}, inspectorAdapters: mockHandlers.inspectorAdapters, - partialRows: args.partialRows, query: undefined, searchSessionId: 'abc123', searchSourceService: startDependencies.searchSource, diff --git a/src/plugins/data/public/search/expressions/esaggs.ts b/src/plugins/data/public/search/expressions/esaggs.ts index ffdd1663a87b1..342abc854138e 100644 --- a/src/plugins/data/public/search/expressions/esaggs.ts +++ b/src/plugins/data/public/search/expressions/esaggs.ts @@ -46,6 +46,7 @@ export function getFunctionDefinition({ args.aggs?.map((agg) => agg.value) ?? [] ); aggConfigs.hierarchical = args.metricsAtAllLevels; + aggConfigs.partialRows = args.partialRows; const { handleEsaggsRequest } = await import('../../../common/search/expressions'); @@ -58,7 +59,6 @@ export function getFunctionDefinition({ filters: get(input, 'filters', undefined), indexPattern, inspectorAdapters, - partialRows: args.partialRows, query: get(input, 'query', undefined) as any, searchSessionId: getSearchSessionId(), searchSourceService: searchSource, diff --git a/src/plugins/data/public/search/expressions/kibana_context.ts b/src/plugins/data/public/search/expressions/kibana_context.ts index 8fad3c8e06c57..cfbac7ad8a5ca 100644 --- a/src/plugins/data/public/search/expressions/kibana_context.ts +++ b/src/plugins/data/public/search/expressions/kibana_context.ts @@ -7,9 +7,9 @@ */ import { StartServicesAccessor } from '@kbn/core/public'; +import { SavedObjectsClientCommon } from '@kbn/data-views-plugin/public'; import { getKibanaContextFn } from '../../../common/search/expressions'; import { DataPublicPluginStart, DataStartDependencies } from '../../types'; -import { SavedObjectsClientCommon } from '../../../common'; /** * This is some glue code that takes in `core.getStartServices`, extracts the dependencies diff --git a/src/plugins/data/public/search/search_service.ts b/src/plugins/data/public/search/search_service.ts index 4755b2f02c183..6c7ec3af0f0d7 100644 --- a/src/plugins/data/public/search/search_service.ts +++ b/src/plugins/data/public/search/search_service.ts @@ -23,6 +23,7 @@ import { toMountPoint } from '@kbn/kibana-react-plugin/public'; import { Storage } from '@kbn/kibana-utils-plugin/public'; import { ScreenshotModePluginStart } from '@kbn/screenshot-mode-plugin/public'; import { ManagementSetup } from '@kbn/management-plugin/public'; +import { DataViewsContract } from '@kbn/data-views-plugin/common'; import type { ISearchSetup, ISearchStart } from './types'; import { handleResponse } from './fetch'; @@ -55,7 +56,7 @@ import { eqlRawResponse, } from '../../common/search'; import { AggsService, AggsStartDependencies } from './aggs'; -import { IKibanaSearchResponse, IndexPatternsContract, SearchRequest } from '..'; +import { IKibanaSearchResponse, SearchRequest } from '..'; import { ISearchInterceptor, SearchInterceptor } from './search_interceptor'; import { createUsageCollector, SearchUsageCollector } from './collectors'; import { getEsaggs, getEsdsl, getEssql, getEql } from './expressions'; @@ -85,7 +86,7 @@ export interface SearchServiceSetupDependencies { /** @internal */ export interface SearchServiceStartDependencies { fieldFormats: AggsStartDependencies['fieldFormats']; - indexPatterns: IndexPatternsContract; + indexPatterns: DataViewsContract; screenshotMode: ScreenshotModePluginStart; } @@ -230,7 +231,9 @@ export class SearchService implements Plugin { const loadingCount$ = new BehaviorSubject(0); http.addLoadingCountSource(loadingCount$); + const aggs = this.aggsService.start({ fieldFormats, uiSettings, indexPatterns }); const searchSourceDependencies: SearchSourceDependencies = { + aggs, getConfig: uiSettings.get.bind(uiSettings), search, onResponse: (request: SearchRequest, response: IKibanaSearchResponse) => @@ -260,7 +263,7 @@ export class SearchService implements Plugin { } return { - aggs: this.aggsService.start({ fieldFormats, uiSettings, indexPatterns }), + aggs, search, showError: (e: Error) => { this.searchInterceptor.showError(e); diff --git a/src/plugins/data/public/search/types.ts b/src/plugins/data/public/search/types.ts index fa23b8f593688..ecf3a0e453e89 100644 --- a/src/plugins/data/public/search/types.ts +++ b/src/plugins/data/public/search/types.ts @@ -9,10 +9,10 @@ // eslint-disable-next-line @kbn/eslint/no-restricted-paths import { PackageInfo } from '@kbn/core/server'; import { UsageCollectionSetup } from '@kbn/usage-collection-plugin/public'; +import { DataViewsContract } from '@kbn/data-views-plugin/common'; import { SearchUsageCollector } from './collectors'; import { AggsSetup, AggsSetupDependencies, AggsStartDependencies, AggsStart } from './aggs'; import { ISearchGeneric, ISearchStartSearchSource } from '../../common/search'; -import { IndexPatternsContract } from '../../common'; import { ISessionsClient, ISessionService } from './session'; export type { ISearchStartSearchSource, SearchUsageCollector }; @@ -83,5 +83,5 @@ export interface SearchServiceSetupDependencies { /** @internal */ export interface SearchServiceStartDependencies { fieldFormats: AggsStartDependencies['fieldFormats']; - indexPatterns: IndexPatternsContract; + indexPatterns: DataViewsContract; } diff --git a/src/plugins/data/public/services.ts b/src/plugins/data/public/services.ts index cb294964a4b4f..0705c6b77c441 100644 --- a/src/plugins/data/public/services.ts +++ b/src/plugins/data/public/services.ts @@ -8,7 +8,7 @@ import { NotificationsStart, CoreStart, ThemeServiceStart } from '@kbn/core/public'; import { createGetterSetter } from '@kbn/kibana-utils-plugin/public'; -import { IndexPatternsContract } from './data_views'; +import { DataViewsContract } from '@kbn/data-views-plugin/common'; import { DataPublicPluginStart } from './types'; export const [getNotifications, setNotifications] = @@ -20,7 +20,7 @@ export const [getUiSettings, setUiSettings] = export const [getOverlays, setOverlays] = createGetterSetter('Overlays'); export const [getIndexPatterns, setIndexPatterns] = - createGetterSetter('IndexPatterns'); + createGetterSetter('IndexPatterns'); export const [getSearchService, setSearchService] = createGetterSetter('Search'); diff --git a/src/plugins/data/server/datatable_utilities/datatable_utilities_service.ts b/src/plugins/data/server/datatable_utilities/datatable_utilities_service.ts index 9c460e639dc37..57d130f30aa98 100644 --- a/src/plugins/data/server/datatable_utilities/datatable_utilities_service.ts +++ b/src/plugins/data/server/datatable_utilities/datatable_utilities_service.ts @@ -12,14 +12,14 @@ import type { UiSettingsServiceStart, } from '@kbn/core/server'; import type { FieldFormatsStart } from '@kbn/field-formats-plugin/server'; -import type { IndexPatternsServiceStart } from '@kbn/data-views-plugin/server'; +import type { DataViewsServerPluginStart } from '@kbn/data-views-plugin/server'; import { DatatableUtilitiesService as DatatableUtilitiesServiceCommon } from '../../common'; import type { AggsStart } from '../search'; export class DatatableUtilitiesService { constructor( private aggs: AggsStart, - private dataViews: IndexPatternsServiceStart, + private dataViews: DataViewsServerPluginStart, private fieldFormats: FieldFormatsStart, private uiSettings: UiSettingsServiceStart ) { diff --git a/src/plugins/data/server/index.ts b/src/plugins/data/server/index.ts index cac9f9c08209e..4d34974a347eb 100644 --- a/src/plugins/data/server/index.ts +++ b/src/plugins/data/server/index.ts @@ -38,20 +38,13 @@ export { DATA_VIEW_SAVED_OBJECT_TYPE } from '../common'; * Index patterns: */ -export type { FieldDescriptor, IndexPatternsServiceStart } from './data_views'; -export { - IndexPatternsFetcher, - shouldReadFieldFromDocValues, - getCapabilitiesForRollupIndices, -} from './data_views'; +export type { FieldDescriptor, DataViewsServerPluginStart } from './data_views'; +export { IndexPatternsFetcher, getCapabilitiesForRollupIndices } from './data_views'; -export type { IndexPatternAttributes } from '../common'; export { - IndexPatternField, ES_FIELD_TYPES, KBN_FIELD_TYPES, UI_SETTINGS, - IndexPattern, IndexPatternsService, IndexPatternsService as IndexPatternsCommonService, DataView, diff --git a/src/plugins/data/server/search/aggs/aggs_service.ts b/src/plugins/data/server/search/aggs/aggs_service.ts index 4885c5d61f039..4729f54a21a68 100644 --- a/src/plugins/data/server/search/aggs/aggs_service.ts +++ b/src/plugins/data/server/search/aggs/aggs_service.ts @@ -15,6 +15,7 @@ import { } from '@kbn/core/server'; import { ExpressionsServiceSetup } from '@kbn/expressions-plugin/common'; import { FieldFormatsStart } from '@kbn/field-formats-plugin/server'; +import { DataViewsServerPluginStart } from '@kbn/data-views-plugin/server'; import { AggsCommonService, AggConfigs, @@ -23,7 +24,6 @@ import { calculateBounds, TimeRange, } from '../../../common'; -import { IndexPatternsServiceStart } from '../../data_views'; import { AggsSetup, AggsStart } from './types'; /** @internal */ @@ -35,7 +35,7 @@ export interface AggsSetupDependencies { export interface AggsStartDependencies { fieldFormats: FieldFormatsStart; uiSettings: UiSettingsServiceStart; - indexPatterns: IndexPatternsServiceStart; + indexPatterns: DataViewsServerPluginStart; } /** @@ -75,7 +75,7 @@ export class AggsService { const { calculateAutoTimeExpression, types } = this.aggsCommonService.start({ getConfig, getIndexPattern: ( - await indexPatterns.indexPatternsServiceFactory(savedObjectsClient, elasticsearchClient) + await indexPatterns.dataViewsServiceFactory(savedObjectsClient, elasticsearchClient) ).get, isDefaultTimezone, }); diff --git a/src/plugins/data/server/search/expressions/esaggs.test.ts b/src/plugins/data/server/search/expressions/esaggs.test.ts index bd07d8f538456..f5042b05ea9f4 100644 --- a/src/plugins/data/server/search/expressions/esaggs.test.ts +++ b/src/plugins/data/server/search/expressions/esaggs.test.ts @@ -11,7 +11,7 @@ import { of as mockOf } from 'rxjs'; import type { MockedKeys } from '@kbn/utility-types/jest'; import { KibanaRequest } from '@kbn/core/server'; import type { ExecutionContext } from '@kbn/expressions-plugin/server'; -import type { IndexPatternsContract } from '../../../common'; +import { DataViewsContract } from '@kbn/data-views-plugin/common'; import type { AggsCommonStart, ISearchStartSearchSource, @@ -71,7 +71,7 @@ describe('esaggs expression function - server', () => { } as unknown as jest.Mocked, indexPatterns: { create: jest.fn().mockResolvedValue({}), - } as unknown as jest.Mocked, + } as unknown as jest.Mocked, searchSource: {} as unknown as jest.Mocked, }; getStartDependencies = jest.fn().mockResolvedValue(startDependencies); @@ -120,11 +120,11 @@ describe('esaggs expression function - server', () => { aggs: { foo: 'bar', hierarchical: args.metricsAtAllLevels, + partialRows: args.partialRows, }, filters: undefined, indexPattern: {}, inspectorAdapters: mockHandlers.inspectorAdapters, - partialRows: args.partialRows, query: undefined, searchSessionId: 'abc123', searchSourceService: startDependencies.searchSource, diff --git a/src/plugins/data/server/search/expressions/esaggs.ts b/src/plugins/data/server/search/expressions/esaggs.ts index 912acfab3b3fe..bca2ac63b7f0f 100644 --- a/src/plugins/data/server/search/expressions/esaggs.ts +++ b/src/plugins/data/server/search/expressions/esaggs.ts @@ -60,6 +60,7 @@ export function getFunctionDefinition({ ); aggConfigs.hierarchical = args.metricsAtAllLevels; + aggConfigs.partialRows = args.partialRows; return { aggConfigs, indexPattern, searchSource }; }).pipe( @@ -70,7 +71,6 @@ export function getFunctionDefinition({ filters: get(input, 'filters', undefined), indexPattern, inspectorAdapters, - partialRows: args.partialRows, query: get(input, 'query', undefined) as any, searchSessionId: getSearchSessionId(), searchSourceService: searchSource, @@ -111,7 +111,7 @@ export function getEsaggs({ return { aggs: await search.aggs.asScopedToClient(savedObjectsClient, esClient.asCurrentUser), - indexPatterns: await indexPatterns.indexPatternsServiceFactory( + indexPatterns: await indexPatterns.dataViewsServiceFactory( savedObjectsClient, esClient.asCurrentUser ), diff --git a/src/plugins/data/server/search/expressions/kibana_context.ts b/src/plugins/data/server/search/expressions/kibana_context.ts index ee28124d09216..14fdcdd784f33 100644 --- a/src/plugins/data/server/search/expressions/kibana_context.ts +++ b/src/plugins/data/server/search/expressions/kibana_context.ts @@ -7,9 +7,9 @@ */ import { StartServicesAccessor } from '@kbn/core/server'; +import { SavedObjectsClientCommon } from '@kbn/data-views-plugin/server'; import { getKibanaContextFn } from '../../../common/search/expressions'; import { DataPluginStart, DataPluginStartDependencies } from '../../plugin'; -import { SavedObjectsClientCommon } from '../../../common'; /** * This is some glue code that takes in `core.getStartServices`, extracts the dependencies diff --git a/src/plugins/data/server/search/search_service.ts b/src/plugins/data/server/search/search_service.ts index a26f7b36df56b..6561e6e127d0b 100644 --- a/src/plugins/data/server/search/search_service.ts +++ b/src/plugins/data/server/search/search_service.ts @@ -30,6 +30,7 @@ import type { TaskManagerStartContract, } from '@kbn/task-manager-plugin/server'; import type { SecurityPluginSetup } from '@kbn/security-plugin/server'; +import type { DataViewsServerPluginStart } from '@kbn/data-views-plugin/server'; import type { DataRequestHandlerContext, IScopedSearchClient, @@ -41,7 +42,6 @@ import type { import { AggsService } from './aggs'; -import { IndexPatternsServiceStart } from '../data_views'; import { registerSearchRoute, registerSessionRoutes } from './routes'; import { ES_SEARCH_STRATEGY, esSearchStrategyProvider } from './strategies/es_search'; import { DataPluginStart, DataPluginStartDependencies } from '../plugin'; @@ -116,7 +116,7 @@ export interface SearchServiceSetupDependencies { /** @internal */ export interface SearchServiceStartDependencies { fieldFormats: FieldFormatsStart; - indexPatterns: IndexPatternsServiceStart; + indexPatterns: DataViewsServerPluginStart; taskManager?: TaskManagerStartContract; } @@ -275,13 +275,15 @@ export class SearchService implements Plugin { this.sessionService.start(core, { taskManager }); } + const aggs = this.aggsService.start({ + fieldFormats, + uiSettings, + indexPatterns, + }); + this.asScoped = this.asScopedProvider(core); return { - aggs: this.aggsService.start({ - fieldFormats, - uiSettings, - indexPatterns, - }), + aggs, searchAsInternalUser: this.searchAsInternalUser, getSearchStrategy: this.getSearchStrategy, asScoped: this.asScoped, @@ -289,11 +291,12 @@ export class SearchService implements Plugin { asScoped: async (request: KibanaRequest) => { const esClient = elasticsearch.client.asScoped(request); const savedObjectsClient = savedObjects.getScopedClient(request); - const scopedIndexPatterns = await indexPatterns.indexPatternsServiceFactory( + const scopedIndexPatterns = await indexPatterns.dataViewsServiceFactory( savedObjectsClient, esClient.asCurrentUser ); const uiSettingsClient = uiSettings.asScopedToClient(savedObjectsClient); + const aggsStart = await aggs.asScopedToClient(savedObjectsClient, esClient.asCurrentUser); // cache ui settings, only including items which are explicitly needed by SearchSource const uiSettingsCache = pick( @@ -302,6 +305,7 @@ export class SearchService implements Plugin { ); const searchSourceDependencies: SearchSourceDependencies = { + aggs: aggsStart, getConfig: (key: string): T => uiSettingsCache[key], search: this.asScoped(request).search, onResponse: (req, res) => res, diff --git a/src/plugins/data_view_editor/public/lib/extract_time_fields.test.ts b/src/plugins/data_view_editor/public/lib/extract_time_fields.test.ts index 5f23ac0591cec..28e4cfeb34d53 100644 --- a/src/plugins/data_view_editor/public/lib/extract_time_fields.test.ts +++ b/src/plugins/data_view_editor/public/lib/extract_time_fields.test.ts @@ -7,20 +7,20 @@ */ import { extractTimeFields } from './extract_time_fields'; -import type { IndexPatternField } from '@kbn/data-plugin/public'; +import type { DataViewField } from '@kbn/data-views-plugin/public'; describe('extractTimeFields', () => { it('should handle no date fields', () => { const fields = [ { type: 'text', name: 'name' }, { type: 'text', name: 'name' }, - ] as IndexPatternField[]; + ] as DataViewField[]; expect(extractTimeFields(fields)).toEqual([]); }); it('should add extra options', () => { - const fields = [{ type: 'date', name: '@timestamp' }] as IndexPatternField[]; + const fields = [{ type: 'date', name: '@timestamp' }] as DataViewField[]; // const extractedFields = extractTimeFields(fields); expect(extractTimeFields(fields)).toEqual([ diff --git a/src/plugins/data_view_editor/public/lib/extract_time_fields.ts b/src/plugins/data_view_editor/public/lib/extract_time_fields.ts index bd6735cedb765..af1e9b9914028 100644 --- a/src/plugins/data_view_editor/public/lib/extract_time_fields.ts +++ b/src/plugins/data_view_editor/public/lib/extract_time_fields.ts @@ -7,11 +7,11 @@ */ import { i18n } from '@kbn/i18n'; -import { IndexPatternField } from '@kbn/data-plugin/public'; +import { DataViewField } from '@kbn/data-views-plugin/public'; import { TimestampOption } from '../types'; export function extractTimeFields( - fields: IndexPatternField[], + fields: DataViewField[], requireTimestampField: boolean = false ): TimestampOption[] { const dateFields = fields.filter((field) => field.type === 'date'); diff --git a/src/plugins/data_view_editor/public/open_editor.tsx b/src/plugins/data_view_editor/public/open_editor.tsx index ed57870c49783..766054c2f3465 100644 --- a/src/plugins/data_view_editor/public/open_editor.tsx +++ b/src/plugins/data_view_editor/public/open_editor.tsx @@ -10,13 +10,9 @@ import React from 'react'; import { CoreStart, OverlayRef } from '@kbn/core/public'; import { I18nProvider } from '@kbn/i18n-react'; import type { DataViewsPublicPluginStart } from '@kbn/data-views-plugin/public'; +import type { DataView } from '@kbn/data-views-plugin/public'; -import { - createKibanaReactContext, - toMountPoint, - IndexPattern, - DataPublicPluginStart, -} from './shared_imports'; +import { createKibanaReactContext, toMountPoint, DataPublicPluginStart } from './shared_imports'; import { CloseEditor, DataViewEditorContext, DataViewEditorProps } from './types'; import { DataViewEditorLazy } from './components/data_view_editor_lazy'; @@ -58,7 +54,7 @@ export const getEditorOpener = } }; - const onSaveIndexPattern = (indexPattern: IndexPattern) => { + const onSaveIndexPattern = (indexPattern: DataView) => { closeEditor(); if (onSave) { diff --git a/src/plugins/data_view_editor/public/shared_imports.ts b/src/plugins/data_view_editor/public/shared_imports.ts index cc826dffdb6e5..9f805feedeca1 100644 --- a/src/plugins/data_view_editor/public/shared_imports.ts +++ b/src/plugins/data_view_editor/public/shared_imports.ts @@ -11,9 +11,7 @@ export type { GetFieldsOptions, IndexPatternAggRestrictions, } from '@kbn/data-plugin/public'; -export { IndexPattern, IndexPatternField } from '@kbn/data-plugin/public'; -export type { DataViewSpec } from '@kbn/data-views-plugin/public'; -export { DataView } from '@kbn/data-views-plugin/public'; +export type { DataView, DataViewField, DataViewSpec } from '@kbn/data-views-plugin/public'; export { createKibanaReactContext, diff --git a/src/plugins/data_views/common/constants.ts b/src/plugins/data_views/common/constants.ts index d6a9def882a1b..680c8af905534 100644 --- a/src/plugins/data_views/common/constants.ts +++ b/src/plugins/data_views/common/constants.ts @@ -6,6 +6,10 @@ * Side Public License, v 1. */ +/** + * All runtime field types. + * @public + */ export const RUNTIME_FIELD_TYPES = [ 'keyword', 'long', @@ -32,9 +36,20 @@ export const DEFAULT_ASSETS_TO_IGNORE = { METRICS_ENDPOINT_INDEX_TO_IGNORE: 'metrics-endpoint.metadata_current_default', // ignore index created by Fleet endpoint package installed by default in Cloud }; +/** + * UiSettings key for metaFields list. + * @public + */ export const META_FIELDS = 'metaFields'; -/** @public **/ +/** + * Data view saved object type. + * @public + */ export const DATA_VIEW_SAVED_OBJECT_TYPE = 'index-pattern'; +/** + * Data views plugin name. + * @public + */ export const PLUGIN_NAME = 'DataViews'; diff --git a/src/plugins/data_views/common/data_views/data_view.test.ts b/src/plugins/data_views/common/data_views/data_view.test.ts index f061772a60e04..741711366223f 100644 --- a/src/plugins/data_views/common/data_views/data_view.test.ts +++ b/src/plugins/data_views/common/data_views/data_view.test.ts @@ -8,11 +8,11 @@ import { map, last } from 'lodash'; -import { IndexPattern } from './data_view'; +import { DataView } from './data_view'; import { CharacterNotAllowedInField } from '@kbn/kibana-utils-plugin/common'; -import { IndexPatternField } from '../fields'; +import { DataViewField } from '../fields'; import { fieldFormatsMock } from '@kbn/field-formats-plugin/common/mocks'; import { FieldFormat } from '@kbn/field-formats-plugin/common'; @@ -51,7 +51,7 @@ function create(id: string) { attributes: { timeFieldName, fields, title }, } = stubbedSavedObjectIndexPattern(id); - return new IndexPattern({ + return new DataView({ spec: { id, type, @@ -68,7 +68,7 @@ function create(id: string) { } describe('IndexPattern', () => { - let indexPattern: IndexPattern; + let indexPattern: DataView; // create an indexPattern instance for each test beforeEach(() => { @@ -101,8 +101,8 @@ describe('IndexPattern', () => { describe('getScriptedFields', () => { test('should return all scripted fields', () => { const scriptedNames = stubLogstashFields - .filter((item: IndexPatternField) => item.scripted === true) - .map((item: IndexPatternField) => item.name); + .filter((item: DataViewField) => item.scripted === true) + .map((item: DataViewField) => item.name); const respNames = map(indexPattern.getScriptedFields(), 'name'); expect(respNames).toEqual(scriptedNames); @@ -151,8 +151,8 @@ describe('IndexPattern', () => { describe('getNonScriptedFields', () => { test('should return all non-scripted fields', () => { const notScriptedNames = stubLogstashFields - .filter((item: IndexPatternField) => item.scripted === false) - .map((item: IndexPatternField) => item.name); + .filter((item: DataViewField) => item.scripted === false) + .map((item: DataViewField) => item.name); notScriptedNames.push('runtime_field'); const respNames = map(indexPattern.getNonScriptedFields(), 'name'); @@ -186,7 +186,7 @@ describe('IndexPattern', () => { const scriptedFields = indexPattern.getScriptedFields(); expect(scriptedFields).toHaveLength(oldCount + 1); - expect((indexPattern.fields.getByName(scriptedField.name) as IndexPatternField).name).toEqual( + expect((indexPattern.fields.getByName(scriptedField.name) as DataViewField).name).toEqual( scriptedField.name ); }); @@ -369,6 +369,8 @@ describe('IndexPattern', () => { name: 'scriptedFieldWithEmptyFormatter', type: 'number', esTypes: ['long'], + searchable: true, + aggregatable: true, }) ).toEqual( expect.objectContaining({ @@ -394,7 +396,7 @@ describe('IndexPattern', () => { } as unknown as FieldFormat; indexPattern.getFormatterForField = () => formatter; const spec = indexPattern.toSpec(); - const restoredPattern = new IndexPattern({ + const restoredPattern = new DataView({ spec, fieldFormats: fieldFormatsMock, shortDotsEnable: false, diff --git a/src/plugins/data_views/common/data_views/data_view.ts b/src/plugins/data_views/common/data_views/data_view.ts index d04ff5ab63d31..7d52ec86c5227 100644 --- a/src/plugins/data_views/common/data_views/data_view.ts +++ b/src/plugins/data_views/common/data_views/data_view.ts @@ -6,8 +6,6 @@ * Side Public License, v 1. */ -/* eslint-disable max-classes-per-file */ - import _, { each, reject } from 'lodash'; import { castEsToKbnFieldTypeName, ES_FIELD_TYPES, KBN_FIELD_TYPES } from '@kbn/field-types'; import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; @@ -17,10 +15,9 @@ import { FieldFormat, SerializedFieldFormat, } from '@kbn/field-formats-plugin/common'; +import type { DataViewBase } from '@kbn/es-query'; import { FieldAttrs, FieldAttrSet, DataViewAttributes } from '..'; import type { RuntimeField, RuntimeFieldSpec, RuntimeType, FieldConfiguration } from '../types'; - -import { IIndexPattern, IFieldType } from '..'; import { DataViewField, IIndexPatternFieldList, fieldList } from '../fields'; import { flattenHitWrapper } from './flatten_hit'; import { DataViewSpec, TypeMeta, SourceFilter, DataViewFieldMap } from '../types'; @@ -48,47 +45,102 @@ interface SavedObjectBody { * An interface representing a data view that is time based. */ export interface TimeBasedDataView extends DataView { + /** + * The timestamp field name. + */ timeFieldName: NonNullable; + /** + * The timestamp field. + */ getTimeField: () => DataViewField; } -export class DataView implements IIndexPattern { +/** + * Data view class. Central kibana abstraction around multiple indices. + */ +export class DataView implements DataViewBase { + /** + * Saved object id + */ public id?: string; + /** + * Title of data view + */ public title: string = ''; + /** + * Map of field formats by field name + */ public fieldFormatMap: Record; /** - * Only used by rollup indices, used by rollup specific endpoint to load field list + * Only used by rollup indices, used by rollup specific endpoint to load field list. */ public typeMeta?: TypeMeta; + /** + * Field list, in extended array format + */ public fields: IIndexPatternFieldList & { toSpec: () => DataViewFieldMap }; + /** + * Timestamp field name + */ public timeFieldName: string | undefined; /** - * Type is used to identify rollup index patterns + * Type is used to identify rollup index patterns. */ public type: string | undefined; /** * @deprecated Use `flattenHit` utility method exported from data plugin instead. */ public flattenHit: (hit: Record, deep?: boolean) => Record; + /** + * List of meta fields by name + */ public metaFields: string[]; /** * SavedObject version */ public version: string | undefined; + /** + * Array of filters - hides fields in discover + */ public sourceFilters?: SourceFilter[]; + /** + * Array of namespace ids + */ public namespaces: string[]; + /** + * Original saved object body. Used to check for saved object changes. + */ private originalSavedObjectBody: SavedObjectBody = {}; + /** + * Returns true if short dot notation is enabled + */ private shortDotsEnable: boolean = false; + /** + * FieldFormats service interface + */ private fieldFormats: FieldFormatsStartCommon; + /** + * Map of field attributes by field name. Currently count and customLabel. + */ private fieldAttrs: FieldAttrs; + /** + * Map of runtime field definitions by field name + */ private runtimeFieldMap: Record; /** - * prevents errors when index pattern exists before indices + * Prevents errors when index pattern exists before indices */ public readonly allowNoIndex: boolean = false; - constructor({ spec = {}, fieldFormats, shortDotsEnable = false, metaFields = [] }: DataViewDeps) { + /** + * constructor + * @param config - config data and dependencies + */ + + constructor(config: DataViewDeps) { + const { spec = {}, fieldFormats, shortDotsEnable = false, metaFields = [] } = config; + // set dependencies this.fieldFormats = fieldFormats; // set config @@ -123,12 +175,15 @@ export class DataView implements IIndexPattern { getOriginalSavedObjectBody = () => ({ ...this.originalSavedObjectBody }); /** - * Reset last saved saved object fields. used after saving + * Reset last saved saved object fields. Used after saving. */ resetOriginalSavedObjectBody = () => { this.originalSavedObjectBody = this.getAsSavedObjectBody(); }; + /** + * Returns field attributes map + */ getFieldAttrs = () => { const newFieldAttrs = { ...this.fieldAttrs }; @@ -154,6 +209,10 @@ export class DataView implements IIndexPattern { return newFieldAttrs; }; + /** + * Returns scripted fields + */ + getComputedFields() { const scriptFields: Record = {}; if (!this.fields) { @@ -198,7 +257,7 @@ export class DataView implements IIndexPattern { } /** - * Create static representation of index pattern + * Creates static representation of the data view. */ public toSpec(): DataViewSpec { return { @@ -228,8 +287,8 @@ export class DataView implements IIndexPattern { } /** - * Remove scripted field from field list - * @param fieldName + * Removes scripted field from field list. + * @param fieldName name of scripted field to remove * @deprecated use runtime field instead */ @@ -242,7 +301,7 @@ export class DataView implements IIndexPattern { /** * - * @deprecated Will be removed when scripted fields are removed + * @deprecated Will be removed when scripted fields are removed. */ getNonScriptedFields() { return [...this.fields.getAll().filter((field) => !field.scripted)]; @@ -250,31 +309,51 @@ export class DataView implements IIndexPattern { /** * - * @deprecated use runtime field instead + * @deprecated Use runtime field instead. */ getScriptedFields() { return [...this.fields.getAll().filter((field) => field.scripted)]; } + /** + * Does the data view have a timestamp field? + */ + isTimeBased(): this is TimeBasedDataView { return !!this.timeFieldName && (!this.fields || !!this.getTimeField()); } + /** + * Does the data view have a timestamp field and is it a date nanos field? + */ + isTimeNanosBased(): this is TimeBasedDataView { const timeField = this.getTimeField(); return !!(timeField && timeField.esTypes && timeField.esTypes.indexOf('date_nanos') !== -1); } + /** + * Get timestamp field as DataViewField or return undefined + */ getTimeField() { if (!this.timeFieldName || !this.fields || !this.fields.getByName) return undefined; return this.fields.getByName(this.timeFieldName); } + /** + * Get field by name. + * @param name field name + */ + getFieldByName(name: string): DataViewField | undefined { if (!this.fields || !this.fields.getByName) return undefined; return this.fields.getByName(name); } + /** + * Get aggregation restrictions. Rollup fields can only perform a subset of aggregations. + */ + getAggregationRestrictions() { return this.typeMeta?.aggs; } @@ -305,9 +384,9 @@ export class DataView implements IIndexPattern { /** * Provide a field, get its formatter - * @param field + * @param field field to get formatter for */ - getFormatterForField(field: DataViewField | DataViewField['spec'] | IFieldType): FieldFormat { + getFormatterForField(field: DataViewField | DataViewField['spec']): FieldFormat { const fieldFormat = this.getFormatterForFieldNoDefault(field.name); if (fieldFormat) { return fieldFormat; @@ -353,7 +432,7 @@ export class DataView implements IIndexPattern { /** * Checks if runtime field exists - * @param name + * @param name field name */ hasRuntimeField(name: string): boolean { return !!this.runtimeFieldMap[name]; @@ -361,7 +440,7 @@ export class DataView implements IIndexPattern { /** * Returns runtime field if exists - * @param name + * @param name Runtime field name */ getRuntimeField(name: string): RuntimeField | null { if (!this.runtimeFieldMap[name]) { @@ -381,6 +460,11 @@ export class DataView implements IIndexPattern { return runtimeField; } + /** + * Get all runtime field definitions. + * @returns map of runtime field definitions by field name + */ + getAllRuntimeFields(): Record { return Object.keys(this.runtimeFieldMap).reduce>( (acc, fieldName) => ({ @@ -391,6 +475,12 @@ export class DataView implements IIndexPattern { ); } + /** + * Returns data view fields backed by runtime fields. + * @param name runtime field name + * @returns map of DataViewFields (that are runtime fields) by field name + */ + getFieldsByRuntimeFieldName(name: string): Record | undefined { const runtimeField = this.getRuntimeField(name); if (!runtimeField) { @@ -421,8 +511,8 @@ export class DataView implements IIndexPattern { } /** - * Replaces all existing runtime fields with new fields - * @param newFields + * Replaces all existing runtime fields with new fields. + * @param newFields Map of runtime field definitions by field name */ replaceAllRuntimeFields(newFields: Record) { const oldRuntimeFieldNames = Object.keys(this.runtimeFieldMap); @@ -455,7 +545,7 @@ export class DataView implements IIndexPattern { } /** - * Return the "runtime_mappings" section of the ES search query + * Return the "runtime_mappings" section of the ES search query. */ getRuntimeMappings(): estypes.MappingRuntimeFields { // @ts-expect-error The ES client does not yet include the "composite" runtime type @@ -463,8 +553,8 @@ export class DataView implements IIndexPattern { } /** - * Get formatter for a given field name. Return undefined if none exists - * @param field + * Get formatter for a given field name. Return undefined if none exists. + * @param fieldname name of field to get formatter for */ getFormatterForFieldNoDefault(fieldname: string) { const formatSpec = this.fieldFormatMap[fieldname]; @@ -473,6 +563,13 @@ export class DataView implements IIndexPattern { } } + /** + * Set field attribute + * @param fieldName name of field to set attribute on + * @param attrName name of attribute to set + * @param value value of attribute + */ + protected setFieldAttrs( fieldName: string, attrName: K, @@ -484,6 +581,12 @@ export class DataView implements IIndexPattern { this.fieldAttrs[fieldName][attrName] = value; } + /** + * Set field custom label + * @param fieldName name of field to set custom label on + * @param customLabel custom label value. If undefined, custom label is removed + */ + public setFieldCustomLabel(fieldName: string, customLabel: string | undefined | null) { const fieldObject = this.fields.getByName(fieldName); const newCustomLabel: string | undefined = customLabel === null ? undefined : customLabel; @@ -495,6 +598,12 @@ export class DataView implements IIndexPattern { this.setFieldAttrs(fieldName, 'customLabel', newCustomLabel); } + /** + * Set field count + * @param fieldName name of field to set count on + * @param count count value. If undefined, count is removed + */ + public setFieldCount(fieldName: string, count: number | undefined | null) { const fieldObject = this.fields.getByName(fieldName); const newCount: number | undefined = count === null ? undefined : count; @@ -506,14 +615,31 @@ export class DataView implements IIndexPattern { this.setFieldAttrs(fieldName, 'count', newCount); } + /** + * Set field formatter + * @param fieldName name of field to set format on + * @param format field format in serialized form + */ public readonly setFieldFormat = (fieldName: string, format: SerializedFieldFormat) => { this.fieldFormatMap[fieldName] = format; }; + /** + * Remove field format from the field format map. + * @param fieldName field name associated with the format for removal + */ + public readonly deleteFieldFormat = (fieldName: string) => { delete this.fieldFormatMap[fieldName]; }; + /** + * Add composite runtime field and all subfields. + * @param name field name + * @param runtimeField runtime field definition + * @returns data view field instance + */ + private addCompositeRuntimeField(name: string, runtimeField: RuntimeField): DataViewField[] { const { fields } = runtimeField; @@ -600,8 +726,3 @@ export class DataView implements IIndexPattern { return createdField ?? existingField!; } } - -/** - * @deprecated Use DataView instead. All index pattern interfaces were renamed. - */ -export class IndexPattern extends DataView {} diff --git a/src/plugins/data_views/common/data_views/data_views.ts b/src/plugins/data_views/common/data_views/data_views.ts index b263c7d77fe3b..18142ab19070b 100644 --- a/src/plugins/data_views/common/data_views/data_views.ts +++ b/src/plugins/data_views/common/data_views/data_views.ts @@ -13,11 +13,8 @@ import { PublicMethodsOf } from '@kbn/utility-types'; import { castEsToKbnFieldTypeName } from '@kbn/field-types'; import { FieldFormatsStartCommon, FORMATS_UI_SETTINGS } from '@kbn/field-formats-plugin/common'; import { SavedObjectNotFound } from '@kbn/kibana-utils-plugin/common'; -import { - DATA_VIEW_SAVED_OBJECT_TYPE, - DEFAULT_ASSETS_TO_IGNORE, - SavedObjectsClientCommon, -} from '..'; +import { DATA_VIEW_SAVED_OBJECT_TYPE, DEFAULT_ASSETS_TO_IGNORE } from '..'; +import { SavedObjectsClientCommon } from '../types'; import { createDataViewCache } from '.'; import type { RuntimeField, RuntimeFieldSpec, RuntimeType } from '../types'; @@ -43,63 +40,214 @@ import { DuplicateDataViewError, DataViewInsufficientAccessError } from '../erro const MAX_ATTEMPTS_TO_RESOLVE_CONFLICTS = 3; -export type IndexPatternSavedObjectAttrs = Pick; +export type DataViewSavedObjectAttrs = Pick; export type IndexPatternListSavedObjectAttrs = Pick< DataViewAttributes, 'title' | 'type' | 'typeMeta' >; +/** + * Result from data view search - summary data. + */ export interface DataViewListItem { + /** + * Saved object id + */ id: string; + /** + * Namespace ids + */ namespaces?: string[]; + /** + * Data view title + */ title: string; + /** + * Data view type + */ type?: string; + /** + * Data view type meta + */ typeMeta?: TypeMeta; } +/** + * Data views API service dependencies + */ export interface DataViewsServiceDeps { + /** + * UiSettings service instance wrapped in a common interface + */ uiSettings: UiSettingsCommon; + /** + * Saved objects client interface wrapped in a common interface + */ savedObjectsClient: SavedObjectsClientCommon; + /** + * Wrapper around http call functionality so it can be used on client or server + */ apiClient: IDataViewsApiClient; + /** + * Field formats service + */ fieldFormats: FieldFormatsStartCommon; + /** + * Hander for service notifications + */ onNotification: OnNotification; + /** + * Handler for service errors + */ onError: OnError; + /** + * Redirects when there's no data view. only used on client + */ onRedirectNoIndexPattern?: () => void; + /** + * Determines whether the user can save data views + */ getCanSave: () => Promise; } +/** + * Data views API service methods + * @public + */ export interface DataViewsServicePublicMethods { + /** + * Clear the cache of data views. + * @param id + */ clearCache: (id?: string | undefined) => void; + /** + * Create data view based on the provided spec. + * @param spec - Data view spec. + * @param skipFetchFields - If true, do not fetch fields. + */ create: (spec: DataViewSpec, skipFetchFields?: boolean) => Promise; + /** + * Create and save data view based on provided spec. + * @param spec - Data view spec. + * @param override - If true, save over existing data view + * @param skipFetchFields - If true, do not fetch fields. + */ createAndSave: ( spec: DataViewSpec, override?: boolean, skipFetchFields?: boolean ) => Promise; + /** + * Save data view + * @param dataView - Data view instance to save. + * @param override - If true, save over existing data view + */ createSavedObject: (indexPattern: DataView, override?: boolean) => Promise; + /** + * Delete data view + * @param indexPatternId - Id of the data view to delete. + */ delete: (indexPatternId: string) => Promise<{}>; + /** + * @deprecated Use `getDefaultDataView` instead (when loading data view) and handle + * 'no data view' case in api consumer code - no more auto redirect + */ ensureDefaultDataView: EnsureDefaultDataView; + /** + * Takes field array and field attributes and returns field map by name. + * @param fields - Array of fieldspecs + * @params fieldAttrs - Field attributes, map by name + * @returns Field map by name + */ fieldArrayToMap: (fields: FieldSpec[], fieldAttrs?: FieldAttrs | undefined) => DataViewFieldMap; + /** + * Search for data views based on title + * @param search - Search string + * @param size - Number of results to return + */ find: (search: string, size?: number) => Promise; + /** + * Get data view by id. + * @param id - Id of the data view to get. + */ get: (id: string) => Promise; - getCache: () => Promise> | null | undefined>; + /** + * Get populated data view saved object cache. + */ + getCache: () => Promise> | null | undefined>; + /** + * If user can save data view, return true. + */ getCanSave: () => Promise; + /** + * Get default data view as data view instance. + */ getDefault: () => Promise; + /** + * Get default data view id. + */ getDefaultId: () => Promise; + /** + * Get default data view, if it doesn't exist, choose and save new default data view and return it. + */ getDefaultDataView: () => Promise; + /** + * Get fields for data view + * @param dataView - Data view instance or spec + * @param options - Options for getting fields + * @returns FieldSpec array + */ getFieldsForIndexPattern: ( indexPattern: DataView | DataViewSpec, options?: GetFieldsOptions | undefined ) => Promise; + /** + * Get fields for index pattern string + * @param options - options for getting fields + */ getFieldsForWildcard: (options: GetFieldsOptions) => Promise; + /** + * Get list of data view ids. + * @param refresh - clear cache and fetch from server + */ getIds: (refresh?: boolean) => Promise; + /** + * Get list of data view ids and title (and more) for each data view. + * @param refresh - clear cache and fetch from server + */ getIdsWithTitle: (refresh?: boolean) => Promise; + /** + * Get list of data view ids and title (and more) for each data view. + * @param refresh - clear cache and fetch from server + */ getTitles: (refresh?: boolean) => Promise; + /** + * Returns true if user has access to view a data view. + */ hasUserDataView: () => Promise; + /** + * Refresh fields for data view instance + * @params dataView - Data view instance + */ refreshFields: (indexPattern: DataView) => Promise; + /** + * Converts data view saved object to spec + * @params savedObject - Data view saved object + */ savedObjectToSpec: (savedObject: SavedObject) => DataViewSpec; + /** + * Set default data view. + * @param id - Id of the data view to set as default. + * @param force - Overwrite if true + */ setDefault: (id: string | null, force?: boolean) => Promise; + /** + * Save saved object + * @param indexPattern - data view instance + * @param saveAttempts - number of times to try saving + * @oaram ignoreErrors - if true, do not throw error on failure + */ updateSavedObject: ( indexPattern: DataView, saveAttempts?: number, @@ -107,25 +255,32 @@ export interface DataViewsServicePublicMethods { ) => Promise; } +/** + * Data views service, providing CRUD operations for data views. + * @public + */ export class DataViewsService { private config: UiSettingsCommon; private savedObjectsClient: SavedObjectsClientCommon; - private savedObjectsCache?: Array> | null; + private savedObjectsCache?: Array> | null; private apiClient: IDataViewsApiClient; private fieldFormats: FieldFormatsStartCommon; /** - * Handler for service notifications + * Handler for service notifications * @param toastInputFields notification content in toast format * @param key used to indicate uniqueness of the notification */ private onNotification: OnNotification; /* - * Handler for service errors + * Handler for service errors * @param error notification content in toast format * @param key used to indicate uniqueness of the error */ private onError: OnError; private dataViewCache: ReturnType; + /** + * Can the user save data views? + */ public getCanSave: () => Promise; /** @@ -134,33 +289,38 @@ export class DataViewsService { */ ensureDefaultDataView: EnsureDefaultDataView; - constructor({ - uiSettings, - savedObjectsClient, - apiClient, - fieldFormats, - onNotification, - onError, - onRedirectNoIndexPattern = () => {}, - getCanSave = () => Promise.resolve(false), - }: DataViewsServiceDeps) { + /** + * DataViewsService constructor + * @param deps Service dependencies + */ + constructor(deps: DataViewsServiceDeps) { + const { + uiSettings, + savedObjectsClient, + apiClient, + fieldFormats, + onNotification, + onError, + onRedirectNoIndexPattern = () => {}, + getCanSave = () => Promise.resolve(false), + } = deps; this.apiClient = apiClient; this.config = uiSettings; this.savedObjectsClient = savedObjectsClient; this.fieldFormats = fieldFormats; this.onNotification = onNotification; this.onError = onError; - this.ensureDefaultDataView = createEnsureDefaultDataView(uiSettings, onRedirectNoIndexPattern); + this.ensureDefaultDataView = createEnsureDefaultDataView(onRedirectNoIndexPattern); this.getCanSave = getCanSave; this.dataViewCache = createDataViewCache(); } /** - * Refresh cache of index pattern ids and titles + * Refresh cache of index pattern ids and titles. */ private async refreshSavedObjectsCache() { - const so = await this.savedObjectsClient.find({ + const so = await this.savedObjectsClient.find({ type: DATA_VIEW_SAVED_OBJECT_TYPE, fields: ['title', 'type', 'typeMeta'], perPage: 10000, @@ -169,7 +329,7 @@ export class DataViewsService { } /** - * Get list of index pattern ids + * Gets list of index pattern ids. * @param refresh Force refresh of index pattern list */ getIds = async (refresh: boolean = false) => { @@ -183,7 +343,7 @@ export class DataViewsService { }; /** - * Get list of index pattern titles + * Gets list of index pattern titles. * @param refresh Force refresh of index pattern list */ getTitles = async (refresh: boolean = false): Promise => { @@ -197,13 +357,13 @@ export class DataViewsService { }; /** - * Find and load index patterns by title - * @param search - * @param size - * @returns IndexPattern[] + * Find and load index patterns by title. + * @param search Search string + * @param size Number of data views to return + * @returns DataView[] */ find = async (search: string, size: number = 10): Promise => { - const savedObjects = await this.savedObjectsClient.find({ + const savedObjects = await this.savedObjectsClient.find({ type: DATA_VIEW_SAVED_OBJECT_TYPE, fields: ['title'], search, @@ -217,7 +377,7 @@ export class DataViewsService { }; /** - * Get list of index pattern ids with titles + * Gets list of index pattern ids with titles. * @param refresh Force refresh of index pattern list */ getIdsWithTitle = async (refresh: boolean = false): Promise => { @@ -237,7 +397,7 @@ export class DataViewsService { }; /** - * Clear index pattern list cache + * Clear index pattern list cache. * @param id optionally clear a single id */ clearCache = (id?: string) => { @@ -249,6 +409,10 @@ export class DataViewsService { } }; + /** + * Get cache, contains data view saved objects. + */ + getCache = async () => { if (!this.savedObjectsCache) { await this.refreshSavedObjectsCache(); @@ -278,8 +442,8 @@ export class DataViewsService { /** * Optionally set default index pattern, unless force = true - * @param id - * @param force + * @param id data view id + * @param force set default data view even if there's an existing default */ setDefault = async (id: string | null, force = false) => { if (force || !(await this.config.get('defaultIndex'))) { @@ -288,15 +452,15 @@ export class DataViewsService { }; /** - * Checks if current user has a user created index pattern ignoring fleet's server default index patterns + * Checks if current user has a user created index pattern ignoring fleet's server default index patterns. */ async hasUserDataView(): Promise { return this.apiClient.hasUserIndexPattern(); } /** - * Get field list by providing { pattern } - * @param options + * Get field list by providing { pattern }. + * @param options options for getting field list * @returns FieldSpec[] */ getFieldsForWildcard = async (options: GetFieldsOptions): Promise => { @@ -312,8 +476,8 @@ export class DataViewsService { }; /** - * Get field list by providing an index patttern (or spec) - * @param options + * Get field list by providing an index patttern (or spec). + * @param options options for getting field list * @returns FieldSpec[] */ getFieldsForIndexPattern = async ( @@ -328,7 +492,7 @@ export class DataViewsService { }); /** - * Refresh field list for a given index pattern + * Refresh field list for a given index pattern. * @param indexPattern */ refreshFields = async (indexPattern: DataView) => { @@ -363,7 +527,7 @@ export class DataViewsService { }; /** - * Refreshes a field list from a spec before an index pattern instance is created + * Refreshes a field list from a spec before an index pattern instance is created. * @param fields * @param id * @param title @@ -417,7 +581,7 @@ export class DataViewsService { }; /** - * Converts field array to map + * Converts field array to map. * @param fields: FieldSpec[] * @param fieldAttrs: FieldAttrs * @returns Record @@ -433,7 +597,7 @@ export class DataViewsService { }, {}); /** - * Converts index pattern saved object to index pattern spec + * Converts data view saved object to data view spec. * @param savedObject * @returns DataViewSpec */ @@ -586,10 +750,9 @@ export class DataViewsService { }; /** - * Get an index pattern by id. Cache optimized + * Get an index pattern by id, cache optimized. * @param id */ - get = async (id: string): Promise => { const indexPatternPromise = this.dataViewCache.get(id) || this.dataViewCache.set(id, this.getSavedObjectAndInit(id)); @@ -603,10 +766,10 @@ export class DataViewsService { }; /** - * Create a new index pattern instance - * @param spec - * @param skipFetchFields - * @returns IndexPattern + * Create a new data view instance. + * @param spec data view spec + * @param skipFetchFields if true, will not fetch fields + * @returns DataView */ async create(spec: DataViewSpec, skipFetchFields = false): Promise { const shortDotsEnable = await this.config.get(FORMATS_UI_SETTINGS.SHORT_DOTS_ENABLE); @@ -627,8 +790,8 @@ export class DataViewsService { } /** - * Create a new index pattern and save it right away - * @param spec + * Create a new data view and save it right away. + * @param spec data view spec * @param override Overwrite if existing index pattern exists. * @param skipFetchFields Whether to skip field refresh step. */ @@ -641,30 +804,30 @@ export class DataViewsService { } /** - * Save a new index pattern - * @param indexPattern + * Save a new data view. + * @param dataView data view instance * @param override Overwrite if existing index pattern exists */ - async createSavedObject(indexPattern: DataView, override = false) { + async createSavedObject(dataView: DataView, override = false) { if (!(await this.getCanSave())) { throw new DataViewInsufficientAccessError(); } - const dupe = await findByTitle(this.savedObjectsClient, indexPattern.title); + const dupe = await findByTitle(this.savedObjectsClient, dataView.title); if (dupe) { if (override) { await this.delete(dupe.id); } else { - throw new DuplicateDataViewError(`Duplicate index pattern: ${indexPattern.title}`); + throw new DuplicateDataViewError(`Duplicate data view: ${dataView.title}`); } } - const body = indexPattern.getAsSavedObjectBody(); + const body = dataView.getAsSavedObjectBody(); const response: SavedObject = (await this.savedObjectsClient.create( DATA_VIEW_SAVED_OBJECT_TYPE, body, { - id: indexPattern.id, + id: dataView.id, } )) as SavedObject; @@ -677,7 +840,7 @@ export class DataViewsService { } /** - * Save existing index pattern. Will attempt to merge differences if there are conflicts + * Save existing dat aview. Will attempt to merge differences if there are conflicts. * @param indexPattern * @param saveAttempts */ @@ -773,7 +936,7 @@ export class DataViewsService { } /** - * Deletes an index pattern from .kibana index + * Deletes an index pattern from .kibana index. * @param indexPatternId: Id of kibana Index Pattern to delete */ async delete(indexPatternId: string) { @@ -788,7 +951,7 @@ export class DataViewsService { * Returns the default data view as an object. * If no default is found, or it is missing * another data view is selected as default and returned. - * If no possible data view found to become a default returns null + * If no possible data view found to become a default returns null. * * @returns default data view */ @@ -828,9 +991,9 @@ export class DataViewsService { */ export class IndexPatternsService extends DataViewsService {} -export type DataViewsContract = PublicMethodsOf; - /** - * @deprecated Use DataViewsContract. All index pattern interfaces were renamed. + * Data views service interface + * @public */ -export type IndexPatternsContract = DataViewsContract; + +export type DataViewsContract = PublicMethodsOf; diff --git a/src/plugins/data_views/common/data_views/ensure_default_data_view.ts b/src/plugins/data_views/common/data_views/ensure_default_data_view.ts index 42e984a3fa88a..4e7df93bf43e9 100644 --- a/src/plugins/data_views/common/data_views/ensure_default_data_view.ts +++ b/src/plugins/data_views/common/data_views/ensure_default_data_view.ts @@ -7,18 +7,21 @@ */ import { DataViewsContract } from './data_views'; -import { UiSettingsCommon } from '../types'; - -export type EnsureDefaultDataView = () => Promise | undefined; +/** + * Checks whether a default data view is set and exists and defines + * one otherwise. + * @public + */ +export type EnsureDefaultDataView = () => Promise | void; -export const createEnsureDefaultDataView = ( - uiSettings: UiSettingsCommon, - onRedirectNoDefaultView: () => Promise | void -) => { - /** - * Checks whether a default data view is set and exists and defines - * one otherwise. - */ +/** + * Checks whether a default data view is set and exists and defines + * one otherwise. + * @public + * @param onRedirectNoDefaultView - Callback to redirect to a new data view + * @return returned promise resolves when the default data view is set + */ +export const createEnsureDefaultDataView = (onRedirectNoDefaultView: EnsureDefaultDataView) => { return async function ensureDefaultDataView(this: DataViewsContract) { if (!(await this.getDefaultDataView())) { return onRedirectNoDefaultView(); diff --git a/src/plugins/data_views/common/errors/data_view_saved_object_conflict.ts b/src/plugins/data_views/common/errors/data_view_saved_object_conflict.ts index 3fcb281655727..f1c9ecaee5026 100644 --- a/src/plugins/data_views/common/errors/data_view_saved_object_conflict.ts +++ b/src/plugins/data_views/common/errors/data_view_saved_object_conflict.ts @@ -6,7 +6,14 @@ * Side Public License, v 1. */ +/** + * Error thrown when saved object has been changed when attempting to save. + */ export class DataViewSavedObjectConflictError extends Error { + /** + * constructor + * @param savedObjectId saved object id with conflict + */ constructor(savedObjectId: string) { super(`Conflict loading DataView saved object, id: ${savedObjectId}`); this.name = 'DataViewSavedObjectConflictError'; diff --git a/src/plugins/data_views/common/errors/duplicate_index_pattern.ts b/src/plugins/data_views/common/errors/duplicate_index_pattern.ts index 942c104eee4e5..455ee0cd1a3eb 100644 --- a/src/plugins/data_views/common/errors/duplicate_index_pattern.ts +++ b/src/plugins/data_views/common/errors/duplicate_index_pattern.ts @@ -6,7 +6,15 @@ * Side Public License, v 1. */ +/** + * Error thrown when attempting to create duplicate index pattern based on title. + * @public + */ export class DuplicateDataViewError extends Error { + /** + * constructor + * @param message - Error message + */ constructor(message: string) { super(message); this.name = 'DuplicateDataViewError'; diff --git a/src/plugins/data_views/common/errors/insufficient_access.ts b/src/plugins/data_views/common/errors/insufficient_access.ts index 48c826ec78557..47cd507cb54e5 100644 --- a/src/plugins/data_views/common/errors/insufficient_access.ts +++ b/src/plugins/data_views/common/errors/insufficient_access.ts @@ -6,7 +6,16 @@ * Side Public License, v 1. */ +/** + * Error thrown when action attempted without sufficient access. + * @constructor + * @param {string} message - Saved object id of data view for display in error message + */ export class DataViewInsufficientAccessError extends Error { + /** + * constructor + * @param {string} message - Saved object id of data view for display in error message + */ constructor(savedObjectId?: string) { super(`Operation failed due to insufficient access, id: ${savedObjectId}`); this.name = 'DataViewInsufficientAccessError'; diff --git a/src/plugins/data_views/common/expressions/load_index_pattern.ts b/src/plugins/data_views/common/expressions/load_index_pattern.ts index 19bb928557988..58510bf3a70f9 100644 --- a/src/plugins/data_views/common/expressions/load_index_pattern.ts +++ b/src/plugins/data_views/common/expressions/load_index_pattern.ts @@ -15,8 +15,18 @@ import { DataViewSpec } from '..'; const name = 'indexPatternLoad'; const type = 'index_pattern'; +/** + * Index pattern expression interface + * @public + */ export interface IndexPatternExpressionType { + /** + * Expression type + */ type: typeof type; + /** + * Value - DataViewSpec + */ value: DataViewSpec; } diff --git a/src/plugins/data_views/common/fields/data_view_field.test.ts b/src/plugins/data_views/common/fields/data_view_field.test.ts index 2bf2c5490f2b0..315758a2007e1 100644 --- a/src/plugins/data_views/common/fields/data_view_field.test.ts +++ b/src/plugins/data_views/common/fields/data_view_field.test.ts @@ -6,8 +6,8 @@ * Side Public License, v 1. */ -import { IndexPatternField } from './data_view_field'; -import { IndexPattern } from '..'; +import { DataView } from '..'; +import { DataViewField } from './data_view_field'; import { KBN_FIELD_TYPES } from '@kbn/field-types'; import { FieldSpec, RuntimeField } from '../types'; import { FieldFormat } from '@kbn/field-formats-plugin/common'; @@ -18,7 +18,7 @@ describe('Field', function () { } function getField(values = {}) { - return new IndexPatternField({ ...fieldValues, ...values }); + return new DataViewField({ ...fieldValues, ...values }); } const fieldValues = { @@ -40,7 +40,7 @@ describe('Field', function () { displayName: 'displayName', indexPattern: { fieldFormatMap: { name: {}, _source: {}, _score: {}, _id: {} }, - } as unknown as IndexPattern, + } as unknown as DataView, $$spec: {} as unknown as FieldSpec, conflictDescriptions: { a: ['b', 'c'], d: ['e'] }, runtimeField: { @@ -146,12 +146,12 @@ describe('Field', function () { }); it('exports the property to JSON', () => { - const field = new IndexPatternField(fieldValues); + const field = new DataViewField(fieldValues); expect(flatten(field)).toMatchSnapshot(); }); it('spec snapshot', () => { - const field = new IndexPatternField(fieldValues); + const field = new DataViewField(fieldValues); const getFormatterForField = () => ({ toJSON: () => ({ diff --git a/src/plugins/data_views/common/fields/data_view_field.ts b/src/plugins/data_views/common/fields/data_view_field.ts index a10c4268888db..e785f2305732a 100644 --- a/src/plugins/data_views/common/fields/data_view_field.ts +++ b/src/plugins/data_views/common/fields/data_view_field.ts @@ -6,12 +6,10 @@ * Side Public License, v 1. */ -/* eslint-disable max-classes-per-file */ - import { KbnFieldType, getKbnFieldType } from '@kbn/field-types'; import { KBN_FIELD_TYPES } from '@kbn/field-types'; +import { DataViewFieldBase } from '@kbn/es-query'; import type { RuntimeFieldSpec } from '../types'; -import type { IFieldType } from './types'; import { FieldSpec, DataView } from '..'; import { shortenDottedString, @@ -21,12 +19,34 @@ import { getDataViewFieldSubtypeNested, } from './utils'; -/** @public */ -export class DataViewField implements IFieldType { +/** + * Optional format getter when serializing a field + * @public + */ +export interface ToSpecConfig { + /** + * Field format getter + */ + getFormatterForField?: DataView['getFormatterForField']; +} + +/** + * Data view field class + * @public + */ +export class DataViewField implements DataViewFieldBase { readonly spec: FieldSpec; // not writable or serialized + /** + * Kbn field type, used mainly for formattering. + */ private readonly kbnFieldType: KbnFieldType; + /** + * DataView constructor + * @constructor + * @param spec Configuration for the field + */ constructor(spec: FieldSpec) { this.spec = { ...spec, type: spec.name === '_source' ? '_source' : spec.type }; @@ -35,20 +55,32 @@ export class DataViewField implements IFieldType { // writable attrs /** - * Count is used for field popularity + * Count is used for field popularity in discover. */ public get count() { return this.spec.count || 0; } + /** + * Set count, which is used for field popularity in discover. + * @param count count number + */ public set count(count: number) { this.spec.count = count; } + /** + * Returns runtime field definition or undefined if field is not runtime field. + */ + public get runtimeField() { return this.spec.runtimeField; } + /** + * Sets runtime field definition or unsets if undefined is provided. + * @param runtimeField runtime field definition + */ public set runtimeField(runtimeField: RuntimeFieldSpec | undefined) { this.spec.runtimeField = runtimeField; } @@ -60,6 +92,10 @@ export class DataViewField implements IFieldType { return this.spec.script; } + /** + * Sets scripted field painless code + * @param script Painless code + */ public set script(script) { this.spec.script = script; } @@ -71,34 +107,59 @@ export class DataViewField implements IFieldType { return this.spec.lang; } + /** + * Sets scripted field langauge. + * @param lang Scripted field language + */ public set lang(lang) { this.spec.lang = lang; } + /** + * Returns custom label if set, otherwise undefined. + */ + public get customLabel() { return this.spec.customLabel; } + /** + * Sets custom label for field, or unsets if passed undefined. + * @param customLabel custom label value + */ public set customLabel(customLabel) { this.spec.customLabel = customLabel; } /** - * Description of field type conflicts across different indices in the same index pattern + * Description of field type conflicts across different indices in the same index pattern. */ public get conflictDescriptions() { return this.spec.conflictDescriptions; } + /** + * Sets conflict descriptions for field. + * @param conflictDescriptions conflict descriptions + */ + public set conflictDescriptions(conflictDescriptions) { this.spec.conflictDescriptions = conflictDescriptions; } // read only attrs + + /** + * Get field name + */ public get name() { return this.spec.name; } + /** + * Gets display name, calcualted based on name, custom label and shortDotsEnable. + */ + public get displayName(): string { return this.spec.customLabel ? this.spec.customLabel @@ -107,30 +168,57 @@ export class DataViewField implements IFieldType { : this.spec.name; } + /** + * Gets field type + */ public get type() { return this.spec.type; } + /** + * Gets ES types as string array + */ + public get esTypes() { return this.spec.esTypes; } + /** + * Returns true if scripted field + */ + public get scripted() { return !!this.spec.scripted; } + /** + * Returns true if field is searchable + */ + public get searchable() { return !!(this.spec.searchable || this.scripted); } + /** + * Returns true if field is aggregatable + */ + public get aggregatable() { return !!(this.spec.aggregatable || this.scripted); } + /** + * Returns true if field is available via doc values + */ + public get readFromDocValues() { return !!(this.spec.readFromDocValues && !this.scripted); } + /** + * Returns field subtype, multi, nested, or undefined if neither + */ + public get subType() { return this.spec.subType; } @@ -142,11 +230,19 @@ export class DataViewField implements IFieldType { return this.spec.isMapped; } + /** + * Returns true if runtime field defined on data view + */ + public get isRuntimeField() { return !this.isMapped && this.runtimeField !== undefined; } // not writable, not serialized + + /** + * Returns true if field is sortable + */ public get sortable() { return ( this.name === '_score' || @@ -154,6 +250,10 @@ export class DataViewField implements IFieldType { ); } + /** + * Returns true if field is filterable + */ + public get filterable() { return ( this.name === '_id' || @@ -162,31 +262,57 @@ export class DataViewField implements IFieldType { ); } + /** + * Returns true if field is visualizable + */ + public get visualizable() { const notVisualizableFieldTypes: string[] = [KBN_FIELD_TYPES.UNKNOWN, KBN_FIELD_TYPES.CONFLICT]; return this.aggregatable && !notVisualizableFieldTypes.includes(this.spec.type); } + /** + * Returns true if field is subtype nested + */ public isSubtypeNested() { return isDataViewFieldSubtypeNested(this); } + /** + * Returns true if field is subtype multi + */ + public isSubtypeMulti() { return isDataViewFieldSubtypeMulti(this); } + /** + * Returns subtype nested data if exists + */ + public getSubtypeNested() { return getDataViewFieldSubtypeNested(this); } + /** + * Returns subtype multi data if exists + */ + public getSubtypeMulti() { return getDataViewFieldSubtypeMulti(this); } + /** + * Deletes count value. Popularity as used by discover + */ + public deleteCount() { delete this.spec.count; } + /** + * JSON version of field + */ public toJSON() { return { count: this.count, @@ -205,11 +331,14 @@ export class DataViewField implements IFieldType { }; } - public toSpec({ - getFormatterForField, - }: { - getFormatterForField?: DataView['getFormatterForField']; - } = {}): FieldSpec { + /** + * Get field in serialized form - fieldspec. + * @param config provide a method to get a field formatter + * @returns field in serialized form - field spec + */ + public toSpec(config: ToSpecConfig = {}): FieldSpec { + const { getFormatterForField } = config; + return { count: this.count, script: this.script, @@ -231,12 +360,11 @@ export class DataViewField implements IFieldType { }; } + /** + * Returns true if composite runtime field + */ + public isRuntimeCompositeSubField() { return this.runtimeField?.type === 'composite'; } } - -/** - * @deprecated Use DataViewField instead. All index pattern interfaces were renamed. - */ -export class IndexPatternField extends DataViewField {} diff --git a/src/plugins/data_views/common/fields/field_list.ts b/src/plugins/data_views/common/fields/field_list.ts index c7ef23735d7bd..660f2f8ad2f97 100644 --- a/src/plugins/data_views/common/fields/field_list.ts +++ b/src/plugins/data_views/common/fields/field_list.ts @@ -7,28 +7,72 @@ */ import { findIndex } from 'lodash'; -import { IFieldType } from './types'; import { DataViewField } from './data_view_field'; import { FieldSpec, DataViewFieldMap } from '../types'; import { DataView } from '../data_views'; type FieldMap = Map; +interface ToSpecOptions { + getFormatterForField?: DataView['getFormatterForField']; +} + +/** + * Interface for data view field list which _extends_ the array class. + */ export interface IIndexPatternFieldList extends Array { + /** + * Add field to field list. + * @param field field spec to add field to list + * @returns data view field instance which was added to list + */ add(field: FieldSpec): DataViewField; + /** + * Returns fields as plain array of data view field instances. + */ getAll(): DataViewField[]; + /** + * Get field by name. Optimized, uses map to find field. + * @param name name of field to find + * @returns data view field instance if found, undefined otherwise + */ getByName(name: DataViewField['name']): DataViewField | undefined; + /** + * Get fields by field type. Optimized, uses map to find fields. + * @param type type of field to find + * @returns array of data view field instances if found, empty array otherwise + */ getByType(type: DataViewField['type']): DataViewField[]; - remove(field: IFieldType): void; + /** + * Remove field from field list + * @param field field for removal + */ + remove(field: DataViewField | FieldSpec): void; + /** + * Remove all fields from field list. + */ removeAll(): void; + /** + * Replace all fields in field list with new fields. + * @param specs array of field specs to add to list + */ replaceAll(specs: FieldSpec[]): void; + /** + * Update a field in the list + * @param field field spec to update + */ update(field: FieldSpec): void; - toSpec(options?: { getFormatterForField?: DataView['getFormatterForField'] }): DataViewFieldMap; + /** + * Field list as field spec map by name + * @param options optionally provide a function to get field formatter for fields + * @return map of field specs by name + */ + toSpec(options?: ToSpecOptions): DataViewFieldMap; } -// extending the array class and using a constructor doesn't work well +// Extending the array class and using a constructor doesn't work well // when calling filter and similar so wrapping in a callback. -// to be removed in the future +// To be removed in the future export const fieldList = ( specs: FieldSpec[] = [], shortDotsEnable = false @@ -43,7 +87,8 @@ export const fieldList = ( } this.groups.get(field.type)!.set(field.name, field); }; - private removeByGroup = (field: IFieldType) => this.groups.get(field.type)!.delete(field.name); + private removeByGroup = (field: DataViewField) => + this.groups.get(field.type)?.delete(field.name); constructor() { super(); @@ -63,7 +108,7 @@ export const fieldList = ( return newField; }; - public readonly remove = (field: IFieldType) => { + public readonly remove = (field: DataViewField) => { this.removeByGroup(field); this.byName.delete(field.name); diff --git a/src/plugins/data_views/common/fields/index.ts b/src/plugins/data_views/common/fields/index.ts index 97cbe862d5fe7..6304aeb74bda2 100644 --- a/src/plugins/data_views/common/fields/index.ts +++ b/src/plugins/data_views/common/fields/index.ts @@ -6,7 +6,6 @@ * Side Public License, v 1. */ -export * from './types'; export { isFilterable, isNestedField, diff --git a/src/plugins/data_views/common/fields/types.ts b/src/plugins/data_views/common/fields/types.ts deleted file mode 100644 index b68f5db4f2cdc..0000000000000 --- a/src/plugins/data_views/common/fields/types.ts +++ /dev/null @@ -1,30 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ -import { DataViewFieldBase } from '@kbn/es-query'; -import { FieldSpec, DataView } from '..'; - -/** - * @deprecated Use {@link IndexPatternField} - * @removeBy 8.2 - */ -export interface IFieldType extends DataViewFieldBase { - count?: number; - // esTypes might be undefined on old index patterns that have not been refreshed since we added - // this prop. It is also undefined on scripted fields. - esTypes?: string[]; - aggregatable?: boolean; - filterable?: boolean; - searchable?: boolean; - sortable?: boolean; - visualizable?: boolean; - readFromDocValues?: boolean; - displayName?: string; - customLabel?: string; - format?: any; - toSpec?: (options?: { getFormatterForField?: DataView['getFormatterForField'] }) => FieldSpec; -} diff --git a/src/plugins/data_views/common/fields/utils.ts b/src/plugins/data_views/common/fields/utils.ts index adb5057798b1c..1dc7e7f698995 100644 --- a/src/plugins/data_views/common/fields/utils.ts +++ b/src/plugins/data_views/common/fields/utils.ts @@ -8,11 +8,11 @@ import { getFilterableKbnTypeNames } from '@kbn/field-types'; import { DataViewFieldBase, IFieldSubTypeNested, IFieldSubTypeMulti } from '@kbn/es-query'; -import { IFieldType } from './types'; +import type { DataViewField } from '.'; const filterableTypes = getFilterableKbnTypeNames(); -export function isFilterable(field: IFieldType): boolean { +export function isFilterable(field: DataViewField): boolean { return ( field.name === '_id' || field.scripted || @@ -55,6 +55,12 @@ export function isDataViewFieldSubtypeMulti(field: HasSubtype) { return !!subTypeNested?.multi?.parent; } +/** + * Returns subtype data for multi field + * @public + * @param field field to get subtype data from + */ + export function getDataViewFieldSubtypeMulti(field: HasSubtype) { return isDataViewFieldSubtypeMulti(field) ? (field.subType as IFieldSubTypeMulti) : undefined; } diff --git a/src/plugins/data_views/common/index.ts b/src/plugins/data_views/common/index.ts index aa60fd3414056..7a2281197ec16 100644 --- a/src/plugins/data_views/common/index.ts +++ b/src/plugins/data_views/common/index.ts @@ -12,12 +12,13 @@ export { META_FIELDS, DATA_VIEW_SAVED_OBJECT_TYPE, } from './constants'; -export type { IFieldType, IIndexPatternFieldList } from './fields'; + +export type { ToSpecConfig } from './fields'; +export type { IIndexPatternFieldList } from './fields'; export { isFilterable, fieldList, DataViewField, - IndexPatternField, isNestedField, isMultiField, getFieldSubtypeMulti, @@ -29,15 +30,10 @@ export type { RuntimeField, RuntimeFieldSpec, RuntimeFieldSubField, - IIndexPattern, DataViewAttributes, - IndexPatternAttributes, - FieldAttrs, - FieldAttrSet, OnNotification, OnError, UiSettingsCommon, - SavedObjectsClientCommonFindArgs, SavedObjectsClientCommon, GetFieldsOptions, IDataViewsApiClient, @@ -45,22 +41,29 @@ export type { AggregationRestrictions, TypeMeta, FieldSpecConflictDescriptions, - FieldSpecExportFmt, FieldSpec, DataViewFieldMap, DataViewSpec, SourceFilter, HasDataService, + RuntimeTypeExceptComposite, + RuntimeFieldBase, + FieldConfiguration, + SavedObjectsClientCommonFindArgs, + FieldAttrs, + FieldAttrSet, } from './types'; export { DataViewType } from './types'; -export type { IndexPatternsContract, DataViewsContract } from './data_views'; + +export type { DataViewsContract, DataViewsServiceDeps } from './data_views'; +export type { EnsureDefaultDataView } from './data_views/ensure_default_data_view'; export { IndexPatternsService, DataViewsService } from './data_views'; export type { DataViewListItem, DataViewsServicePublicMethods, TimeBasedDataView, } from './data_views'; -export { IndexPattern, DataView } from './data_views'; +export { DataView } from './data_views'; export { DuplicateDataViewError, DataViewSavedObjectConflictError, diff --git a/src/plugins/data_views/common/lib/types.ts b/src/plugins/data_views/common/lib/types.ts index bdc5479e97831..58c370045e1e2 100644 --- a/src/plugins/data_views/common/lib/types.ts +++ b/src/plugins/data_views/common/lib/types.ts @@ -6,7 +6,19 @@ * Side Public License, v 1. */ +/** + * Error code for when an index pattern contains illegal characters + */ export const ILLEGAL_CHARACTERS_KEY = 'ILLEGAL_CHARACTERS'; +/** + * Error code for when an index pattern contains spaces + */ export const CONTAINS_SPACES_KEY = 'CONTAINS_SPACES'; +/** + * Characters disallowed in index patterns that are visible. + */ export const ILLEGAL_CHARACTERS_VISIBLE = ['\\', '/', '?', '"', '<', '>', '|']; +/** + * All characters disallowed in index patterns. + */ export const ILLEGAL_CHARACTERS = ILLEGAL_CHARACTERS_VISIBLE.concat(' '); diff --git a/src/plugins/data_views/common/lib/validate_data_view.ts b/src/plugins/data_views/common/lib/validate_data_view.ts index f86ba28e7cde4..85793e169fbb8 100644 --- a/src/plugins/data_views/common/lib/validate_data_view.ts +++ b/src/plugins/data_views/common/lib/validate_data_view.ts @@ -23,6 +23,13 @@ function findIllegalCharacters(indexPattern: string): string[] { return illegalCharacters; } +/** + * Validate index pattern strings + * @public + * @param indexPattern string to validate + * @returns errors object + */ + export function validateDataView(indexPattern: string) { const errors: { [ILLEGAL_CHARACTERS_KEY]?: string[]; [CONTAINS_SPACES_KEY]?: boolean } = {}; diff --git a/src/plugins/data_views/common/lib/validate_index_pattern.test.ts b/src/plugins/data_views/common/lib/validate_index_pattern.test.ts new file mode 100644 index 0000000000000..edf20440931e3 --- /dev/null +++ b/src/plugins/data_views/common/lib/validate_index_pattern.test.ts @@ -0,0 +1,31 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { CONTAINS_SPACES_KEY, ILLEGAL_CHARACTERS_KEY, ILLEGAL_CHARACTERS_VISIBLE } from './types'; + +import { validateDataView } from './validate_data_view'; + +describe('Index Pattern Utils', () => { + describe('Validation', () => { + it('should not allow space in the pattern', () => { + const errors = validateDataView('my pattern'); + expect(errors[CONTAINS_SPACES_KEY]).toBe(true); + }); + + it('should not allow illegal characters', () => { + ILLEGAL_CHARACTERS_VISIBLE.forEach((char) => { + const errors = validateDataView(`pattern${char}`); + expect(errors[ILLEGAL_CHARACTERS_KEY]).toEqual([char]); + }); + }); + + it('should return empty object when there are no errors', () => { + expect(validateDataView('my-pattern-*')).toEqual({}); + }); + }); +}); diff --git a/src/plugins/data_views/common/lib/validate_index_pattern.ts b/src/plugins/data_views/common/lib/validate_index_pattern.ts new file mode 100644 index 0000000000000..30c46cb79f51f --- /dev/null +++ b/src/plugins/data_views/common/lib/validate_index_pattern.ts @@ -0,0 +1,46 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { ILLEGAL_CHARACTERS_VISIBLE, CONTAINS_SPACES_KEY, ILLEGAL_CHARACTERS_KEY } from './types'; + +function indexPatternContainsSpaces(indexPattern: string): boolean { + return indexPattern.includes(' '); +} + +function findIllegalCharacters(indexPattern: string): string[] { + const illegalCharacters = ILLEGAL_CHARACTERS_VISIBLE.reduce((chars: string[], char: string) => { + if (indexPattern.includes(char)) { + chars.push(char); + } + return chars; + }, []); + + return illegalCharacters; +} + +/** + * Validates index pattern strings + * @param indexPattern + * @returns Object with validation errors + */ + +export function validateIndexPattern(indexPattern: string) { + const errors: { [ILLEGAL_CHARACTERS_KEY]?: string[]; [CONTAINS_SPACES_KEY]?: boolean } = {}; + + const illegalCharacters = findIllegalCharacters(indexPattern); + + if (illegalCharacters.length) { + errors[ILLEGAL_CHARACTERS_KEY] = illegalCharacters; + } + + if (indexPatternContainsSpaces(indexPattern)) { + errors[CONTAINS_SPACES_KEY] = true; + } + + return errors; +} diff --git a/src/plugins/data_views/common/types.ts b/src/plugins/data_views/common/types.ts index 5c4c77a46808d..628a98d89e68d 100644 --- a/src/plugins/data_views/common/types.ts +++ b/src/plugins/data_views/common/types.ts @@ -5,29 +5,49 @@ * in compliance with, at your election, the Elastic License 2.0 or the Server * Side Public License, v 1. */ -import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; -import type { DataViewFieldBase, IFieldSubType, DataViewBase } from '@kbn/es-query'; + +import type { DataViewFieldBase } from '@kbn/es-query'; import { ToastInputFields, ErrorToastOptions } from '@kbn/core/public/notifications'; // eslint-disable-next-line import type { SavedObject } from 'src/core/server'; -import { KBN_FIELD_TYPES } from '@kbn/field-types'; import { QueryDslQueryContainer } from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; -import { FieldFormat, SerializedFieldFormat } from '@kbn/field-formats-plugin/common'; -import { IFieldType } from './fields'; +import type { SerializedFieldFormat } from '@kbn/field-formats-plugin/common'; import { RUNTIME_FIELD_TYPES } from './constants'; -import { DataViewField } from './fields'; export type { QueryDslQueryContainer }; export type FieldFormatMap = Record; +/** + * Runtime field - type of value returned + * @public + */ + export type RuntimeType = typeof RUNTIME_FIELD_TYPES[number]; +/** + * Primitive runtime field types + * @public + */ + export type RuntimeTypeExceptComposite = Exclude; +/** + * Runtime field definition + * @public + */ export interface RuntimeFieldBase { + /** + * Type of runtime field + */ type: RuntimeType; + /** + * Runtime field script + */ script?: { + /** + * Script source + */ source: string; }; } @@ -45,116 +65,234 @@ export interface RuntimeFieldSpec extends RuntimeFieldBase { >; } +/** + * Field attributes that are user configurable + * @public + */ export interface FieldConfiguration { + /** + * Field format in serialized form + */ format?: SerializedFieldFormat | null; + /** + * Custom label + */ customLabel?: string; + /** + * Popularity - used for discover + */ popularity?: number; } /** * This is the RuntimeField interface enhanced with Data view field * configuration: field format definition, customLabel or popularity. - * - * @see {@link RuntimeField} + * @public */ export interface RuntimeField extends RuntimeFieldBase, FieldConfiguration { + /** + * Subfields of composite field + */ fields?: Record; } -export interface RuntimeFieldSubField extends FieldConfiguration { - type: RuntimeTypeExceptComposite; -} - /** - * @deprecated - * IIndexPattern allows for an IndexPattern OR an index pattern saved object - * Use DataView or DataViewSpec instead + * Runtime field composite subfield + * @public */ -export interface IIndexPattern extends DataViewBase { - title: string; - fields: IFieldType[]; - /** - * Type is used for identifying rollup indices, otherwise left undefined - */ - type?: string; - timeFieldName?: string; - getTimeField?(): IFieldType | undefined; - fieldFormatMap?: Record | undefined>; +export interface RuntimeFieldSubField extends FieldConfiguration { /** - * Look up a formatter for a given field + * Type of runtime field, can only be primitive type */ - getFormatterForField?: (field: DataViewField | DataViewField['spec'] | IFieldType) => FieldFormat; + type: RuntimeTypeExceptComposite; } /** - * Interface for an index pattern saved object + * Interface for the data view saved object + * @public */ export interface DataViewAttributes { + /** + * Fields as a serialized array of field specs + */ fields: string; + /** + * Data view title + */ title: string; + /** + * Data view type, default or rollup + */ type?: string; + /** + * Type metadata information, serialized. Only used by rollup data views. + */ typeMeta?: string; + /** + * Time field name + */ timeFieldName?: string; + /** + * Serialized array of filters. Used by discover to hide fields. + */ sourceFilters?: string; + /** + * Serialized map of field formats by field name + */ fieldFormatMap?: string; + /** + * Serialized map of field attributes, currently field count and name + */ fieldAttrs?: string; + /** + * Serialized map of runtime field definitions, by field name + */ runtimeFieldMap?: string; /** - * prevents errors when index pattern exists before indices + * Prevents errors when index pattern exists before indices */ allowNoIndex?: boolean; } /** - * @deprecated Use DataViewAttributes. All index pattern interfaces were renamed. - */ -export type IndexPatternAttributes = DataViewAttributes; - -/** - * @intenal + * Set of field attributes + * @public * Storage of field attributes. Necessary since the field list isn't saved. */ export interface FieldAttrs { [key: string]: FieldAttrSet; } +/** + * Field attributes that are stored on the data view + * @public + */ export interface FieldAttrSet { + /** + * Custom field label + */ customLabel?: string; + /** + * Popularity count - used for discover + */ count?: number; } +/** + * Handler for data view notifications + * @public + * @param toastInputFields Toast notif config + * @param key Used to dedupe notifs + */ export type OnNotification = (toastInputFields: ToastInputFields, key: string) => void; + +/** + * Handler for data view errors + * @public + * @param error Error object + * @param toastInputFields Toast notif config + * @param key Used to dedupe notifs + */ export type OnError = (error: Error, toastInputFields: ErrorToastOptions, key: string) => void; +/** + * Interface for UiSettings common interface {@link UiSettingsClient} + */ export interface UiSettingsCommon { + /** + * Get a setting value + * @param key name of value + */ get: (key: string) => Promise; + /** + * Get all settings values + */ getAll: () => Promise>; - set: (key: string, value: any) => Promise; + /** + * Set a setting value + * @param key name of value + * @param value value to set + */ + set: (key: string, value: T) => Promise; + /** + * Remove a setting value + * @param key name of value + */ remove: (key: string) => Promise; } +/** + * Saved objects common find args + * @public + */ export interface SavedObjectsClientCommonFindArgs { + /** + * Saved object type + */ type: string | string[]; + /** + * Saved object fields + */ fields?: string[]; + /** + * Results per page + */ perPage?: number; + /** + * Query string + */ search?: string; + /** + * Fields to search + */ searchFields?: string[]; } +/** + * Common interface for the saved objects client + * @public + */ export interface SavedObjectsClientCommon { + /** + * Search for saved objects + * @param options - options for search + */ find: (options: SavedObjectsClientCommonFindArgs) => Promise>>; + /** + * Get a single saved object by id + * @param type - type of saved object + * @param id - id of saved object + */ get: (type: string, id: string) => Promise>; + /** + * Update a saved object by id + * @param type - type of saved object + * @param id - id of saved object + * @param attributes - attributes to update + * @param options - client options + */ update: ( type: string, id: string, attributes: Record, options: Record ) => Promise; + /** + * Create a saved object + * @param type - type of saved object + * @param attributes - attributes to set + * @param options - client options + */ create: ( type: string, attributes: Record, options: Record ) => Promise; + /** + * Delete a saved object by id + * @param type - type of saved object + * @param id - id of saved object + */ delete: (type: string, id: string) => Promise<{}>; } @@ -187,13 +325,28 @@ export type AggregationRestrictions = Record< } >; +/** + * Interface for metadata about rollup indices + */ export interface TypeMeta { + /** + * Aggregation restrictions for rollup fields + */ aggs?: Record; + /** + * Params for retrieving rollup field data + */ params?: { + /** + * Rollup index name used for loading field list + */ rollup_index: string; }; } +/** + * Data View type. Default or rollup + */ export enum DataViewType { DEFAULT = 'default', ROLLUP = 'rollup', @@ -209,72 +362,122 @@ export enum IndexPatternType { export type FieldSpecConflictDescriptions = Record; -// This should become FieldSpec once types are cleaned up -export interface FieldSpecExportFmt { - count?: number; - script?: string; - lang?: estypes.ScriptLanguage; - conflictDescriptions?: FieldSpecConflictDescriptions; - name: string; - type: KBN_FIELD_TYPES; - esTypes?: string[]; - scripted: boolean; - searchable: boolean; - aggregatable: boolean; - readFromDocValues?: boolean; - subType?: IFieldSubType; - format?: SerializedFieldFormat; - indexed?: boolean; -} - /** + * Serialized version of DataViewField * @public - * Serialized version of IndexPatternField */ export interface FieldSpec extends DataViewFieldBase { /** * Popularity count is used by discover */ count?: number; + /** + * Description of field type conflicts across indices + */ conflictDescriptions?: Record; + /** + * Field formatting in serialized format + */ format?: SerializedFieldFormat; + /** + * Elasticsearch field types used by backing indices + */ esTypes?: string[]; + /** + * True if field is searchable + */ searchable: boolean; + /** + * True if field is aggregatable + */ aggregatable: boolean; + /** + * True if can be read from doc values + */ readFromDocValues?: boolean; + /** + * True if field is indexed + */ indexed?: boolean; + /** + * Custom label for field, used for display in kibana + */ customLabel?: string; + /** + * Runtime field definition + */ runtimeField?: RuntimeFieldSpec; + // not persisted + + /** + * Whether short dots are enabled, based on uiSettings. + */ shortDotsEnable?: boolean; + /** + * Is this field in the mapping? False if a scripted or runtime field defined on the data view. + */ isMapped?: boolean; } export type DataViewFieldMap = Record; /** - * Static index pattern format - * Serialized data object, representing index pattern attributes and state + * Static data view format + * Serialized data object, representing data view attributes and state */ export interface DataViewSpec { /** - * saved object id + * Saved object id */ id?: string; /** - * saved object version string + * Saved object version string */ version?: string; + /** + * Data view title + */ title?: string; + /** + * Name of timestamp field + */ timeFieldName?: string; + /** + * List of filters which discover uses to hide fields + */ sourceFilters?: SourceFilter[]; + /** + * Map of fields by name + */ fields?: DataViewFieldMap; + /** + * Metadata about data view, only used by rollup data views + */ typeMeta?: TypeMeta; + /** + * Default or rollup + */ type?: string; + /** + * Map of serialized field formats by field name + */ fieldFormats?: Record; + /** + * Map of runtime fields by field name + */ runtimeFieldMap?: Record; + /** + * Map of field attributes by field name, currently customName and count + */ fieldAttrs?: FieldAttrs; + /** + * Determines whether failure to load field list should be reported as error + */ allowNoIndex?: boolean; + /** + * Array of namespace ids + */ namespaces?: string[]; } diff --git a/src/plugins/data_views/common/utils.test.ts b/src/plugins/data_views/common/utils.test.ts index 51c5e99be50db..3351a15da1a13 100644 --- a/src/plugins/data_views/common/utils.test.ts +++ b/src/plugins/data_views/common/utils.test.ts @@ -7,43 +7,47 @@ */ import { isFilterable } from '.'; -import { IFieldType } from './fields'; +import type { DataViewField } from './fields'; const mockField = { name: 'foo', scripted: false, searchable: true, type: 'string', -} as IFieldType; +} as DataViewField; describe('isFilterable', () => { describe('types', () => { it('should return true for filterable types', () => { ['string', 'number', 'date', 'ip', 'boolean'].forEach((type) => { - expect(isFilterable({ ...mockField, type })).toBe(true); + expect(isFilterable({ ...mockField, type } as DataViewField)).toBe(true); }); }); it('should return false for filterable types if the field is not searchable', () => { ['string', 'number', 'date', 'ip', 'boolean'].forEach((type) => { - expect(isFilterable({ ...mockField, type, searchable: false })).toBe(false); + expect(isFilterable({ ...mockField, type, searchable: false } as DataViewField)).toBe( + false + ); }); }); it('should return false for un-filterable types', () => { ['geo_point', 'geo_shape', 'attachment', 'murmur3', '_source', 'unknown', 'conflict'].forEach( (type) => { - expect(isFilterable({ ...mockField, type })).toBe(false); + expect(isFilterable({ ...mockField, type } as DataViewField)).toBe(false); } ); }); }); it('should return true for scripted fields', () => { - expect(isFilterable({ ...mockField, scripted: true, searchable: false })).toBe(true); + expect(isFilterable({ ...mockField, scripted: true, searchable: false } as DataViewField)).toBe( + true + ); }); it('should return true for the _id field', () => { - expect(isFilterable({ ...mockField, name: '_id' })).toBe(true); + expect(isFilterable({ ...mockField, name: '_id' } as DataViewField)).toBe(true); }); }); diff --git a/src/plugins/data_views/common/utils.ts b/src/plugins/data_views/common/utils.ts index 77e9bd76b869c..98f55d6265d27 100644 --- a/src/plugins/data_views/common/utils.ts +++ b/src/plugins/data_views/common/utils.ts @@ -6,7 +6,7 @@ * Side Public License, v 1. */ -import type { IndexPatternSavedObjectAttrs } from './data_views'; +import type { DataViewSavedObjectAttrs } from './data_views'; import type { SavedObjectsClientCommon } from './types'; import { DATA_VIEW_SAVED_OBJECT_TYPE } from './constants'; @@ -20,7 +20,7 @@ import { DATA_VIEW_SAVED_OBJECT_TYPE } from './constants'; */ export async function findByTitle(client: SavedObjectsClientCommon, title: string) { if (title) { - const savedObjects = await client.find({ + const savedObjects = await client.find({ type: DATA_VIEW_SAVED_OBJECT_TYPE, perPage: 10, search: `"${title}"`, diff --git a/src/plugins/data_views/public/data_views/data_views_api_client.ts b/src/plugins/data_views/public/data_views/data_views_api_client.ts index fdf24e21c2e01..e1b7ee1590acf 100644 --- a/src/plugins/data_views/public/data_views/data_views_api_client.ts +++ b/src/plugins/data_views/public/data_views/data_views_api_client.ts @@ -12,9 +12,16 @@ import { GetFieldsOptions, IDataViewsApiClient } from '../../common'; const API_BASE_URL: string = `/api/index_patterns/`; +/** + * Data Views API Client - client implementation + */ export class DataViewsApiClient implements IDataViewsApiClient { private http: HttpSetup; + /** + * constructor + * @param http http dependency + */ constructor(http: HttpSetup) { this.http = http; } @@ -37,14 +44,12 @@ export class DataViewsApiClient implements IDataViewsApiClient { return API_BASE_URL + path.filter(Boolean).map(encodeURIComponent).join('/'); } - getFieldsForWildcard({ - pattern, - metaFields, - type, - rollupIndex, - allowNoIndex, - filter, - }: GetFieldsOptions) { + /** + * Get field list for a given index pattern + * @param options options for fields request + */ + getFieldsForWildcard(options: GetFieldsOptions) { + const { pattern, metaFields, type, rollupIndex, allowNoIndex, filter } = options; return this._request(this._getUrl(['_fields_for_wildcard']), { pattern, meta_fields: metaFields, @@ -55,6 +60,9 @@ export class DataViewsApiClient implements IDataViewsApiClient { }).then((resp: any) => resp.fields || []); } + /** + * Does a user created data view exist? + */ async hasUserIndexPattern(): Promise { const response = await this._request<{ result: boolean }>( this._getUrl(['has_user_index_pattern']) diff --git a/src/plugins/data_views/public/data_views/redirect_no_index_pattern.tsx b/src/plugins/data_views/public/data_views/redirect_no_index_pattern.tsx index 3ddfd24f687af..c55451cf12103 100644 --- a/src/plugins/data_views/public/data_views/redirect_no_index_pattern.tsx +++ b/src/plugins/data_views/public/data_views/redirect_no_index_pattern.tsx @@ -59,5 +59,5 @@ export const onRedirectNoIndexPattern = } // return never-resolving promise to stop resolving and wait for the url change - return new Promise(() => {}); + return new Promise(() => {}); }; diff --git a/src/plugins/data_views/public/data_views_service_public.ts b/src/plugins/data_views/public/data_views_service_public.ts index ceedffb553b66..4693e7000b2a3 100644 --- a/src/plugins/data_views/public/data_views_service_public.ts +++ b/src/plugins/data_views/public/data_views_service_public.ts @@ -11,15 +11,34 @@ import { DataViewsService } from '.'; import { DataViewsServiceDeps } from '../common/data_views/data_views'; import { HasDataService } from '../common'; -interface DataViewsServicePublicDeps extends DataViewsServiceDeps { +/** + * Data Views public service dependencies + * @public + */ +export interface DataViewsServicePublicDeps extends DataViewsServiceDeps { + /** + * Get can user save data view - sync version + */ getCanSaveSync: () => boolean; + /** + * Has data service + */ hasData: HasDataService; } +/** + * Data Views public service + * @public + */ export class DataViewsServicePublic extends DataViewsService { public getCanSaveSync: () => boolean; public hasData: HasDataService; + /** + * Constructor + * @param deps Service dependencies + */ + constructor(deps: DataViewsServicePublicDeps) { super(deps); this.getCanSaveSync = deps.getCanSaveSync; diff --git a/src/plugins/data_views/public/index.ts b/src/plugins/data_views/public/index.ts index 5b14ca9d25030..ee2a23fbad3a7 100644 --- a/src/plugins/data_views/public/index.ts +++ b/src/plugins/data_views/public/index.ts @@ -13,12 +13,15 @@ export { ILLEGAL_CHARACTERS, validateDataView, } from '../common/lib'; -export { onRedirectNoIndexPattern } from './data_views'; export type { IIndexPatternFieldList, TypeMeta, RuntimeType } from '../common'; -export type { DataViewSpec, FieldSpec, DataViewAttributes } from '../common'; +export type { + DataViewSpec, + FieldSpec, + DataViewAttributes, + SavedObjectsClientCommon, +} from '../common'; export { - IndexPatternField, DataViewField, DataViewType, DataViewSavedObjectConflictError, @@ -28,15 +31,14 @@ export { getFieldSubtypeNested, } from '../common'; -export type { IndexPatternsContract } from './data_views'; +export type { DataViewsPublicSetupDependencies, DataViewsPublicStartDependencies } from './types'; + +export type { + DataViewsServicePublic, + DataViewsServicePublicDeps, +} from './data_views_service_public'; +export { IndexPatternsService, DataViewsApiClient, DataViewsService, DataView } from './data_views'; export type { DataViewListItem } from './data_views'; -export { - IndexPatternsService, - IndexPattern, - DataViewsApiClient, - DataViewsService, - DataView, -} from './data_views'; export { UiSettingsPublicToCommon } from './ui_settings_wrapper'; export { SavedObjectsClientPublicToCommon } from './saved_objects_client_wrapper'; @@ -55,8 +57,6 @@ export type { DataViewsPublicPluginStart, DataViewsContract, HasDataViewsResponse, - IndicesResponse, - IndicesResponseModified, IndicesViaSearchResponse, } from './types'; diff --git a/src/plugins/data_views/public/plugin.ts b/src/plugins/data_views/public/plugin.ts index 5c3ad2c33307d..fbd57abb1d750 100644 --- a/src/plugins/data_views/public/plugin.ts +++ b/src/plugins/data_views/public/plugin.ts @@ -15,12 +15,11 @@ import { DataViewsPublicStartDependencies, } from './types'; -import { - onRedirectNoIndexPattern, - DataViewsApiClient, - UiSettingsPublicToCommon, - SavedObjectsClientPublicToCommon, -} from '.'; +import { DataViewsApiClient } from '.'; +import { onRedirectNoIndexPattern } from './data_views'; +import { SavedObjectsClientPublicToCommon } from './saved_objects_client_wrapper'; + +import { UiSettingsPublicToCommon } from './ui_settings_wrapper'; import { DataViewsServicePublic } from './data_views_service_public'; import { HasData } from './services'; diff --git a/src/plugins/data_views/public/saved_objects_client_wrapper.ts b/src/plugins/data_views/public/saved_objects_client_wrapper.ts index c6403cadd04b7..9dab5ec46f548 100644 --- a/src/plugins/data_views/public/saved_objects_client_wrapper.ts +++ b/src/plugins/data_views/public/saved_objects_client_wrapper.ts @@ -12,8 +12,8 @@ import { SavedObjectsClientCommon, SavedObjectsClientCommonFindArgs, SavedObject, - DataViewSavedObjectConflictError, -} from '../common'; +} from '../common/types'; +import { DataViewSavedObjectConflictError } from '../common/errors'; type SOClient = Pick< SavedObjectsClientContract, diff --git a/src/plugins/data_views/public/services/has_data.ts b/src/plugins/data_views/public/services/has_data.ts index d10f6a3d446f8..f9f93e0614c66 100644 --- a/src/plugins/data_views/public/services/has_data.ts +++ b/src/plugins/data_views/public/services/has_data.ts @@ -8,12 +8,8 @@ import { CoreStart, HttpStart } from '@kbn/core/public'; import { DEFAULT_ASSETS_TO_IGNORE } from '../../common'; -import { - HasDataViewsResponse, - IndicesResponse, - IndicesResponseModified, - IndicesViaSearchResponse, -} from '..'; +import { HasDataViewsResponse, IndicesViaSearchResponse } from '..'; +import { IndicesResponse, IndicesResponseModified } from '../types'; export class HasData { private removeAliases = (source: IndicesResponseModified): boolean => !source.item.indices; diff --git a/src/plugins/data_views/public/types.ts b/src/plugins/data_views/public/types.ts index f2d34961ab6e0..fc888d2c42c87 100644 --- a/src/plugins/data_views/public/types.ts +++ b/src/plugins/data_views/public/types.ts @@ -65,12 +65,27 @@ export interface HasDataViewsResponse { hasUserDataView: boolean; } +/** + * Data views public setup dependencies + */ export interface DataViewsPublicSetupDependencies { + /** + * Expressions + */ expressions: ExpressionsSetup; + /** + * Field formats + */ fieldFormats: FieldFormatsSetup; } +/** + * Data views public start dependencies + */ export interface DataViewsPublicStartDependencies { + /** + * Field formats + */ fieldFormats: FieldFormatsStart; } diff --git a/src/plugins/data_views/server/constants.ts b/src/plugins/data_views/server/constants.ts index 7daafe65f9b92..d076435dcf149 100644 --- a/src/plugins/data_views/server/constants.ts +++ b/src/plugins/data_views/server/constants.ts @@ -6,24 +6,73 @@ * Side Public License, v 1. */ +/** + * Service path for data views REST API + */ export const SERVICE_PATH = '/api/data_views'; +/** + * Legacy service path for data views REST API + */ export const SERVICE_PATH_LEGACY = '/api/index_patterns'; +/** + * Path for data view creation + */ export const DATA_VIEW_PATH = `${SERVICE_PATH}/data_view`; +/** + * Legacy path for data view creation + */ export const DATA_VIEW_PATH_LEGACY = `${SERVICE_PATH_LEGACY}/index_pattern`; +/** + * Path for single data view + */ export const SPECIFIC_DATA_VIEW_PATH = `${DATA_VIEW_PATH}/{id}`; +/** + * Legacy path for single data view + */ export const SPECIFIC_DATA_VIEW_PATH_LEGACY = `${DATA_VIEW_PATH_LEGACY}/{id}`; +/** + * Path to create runtime field + */ export const RUNTIME_FIELD_PATH = `${SPECIFIC_DATA_VIEW_PATH}/runtime_field`; +/** + * Legacy path to create runtime field + */ export const RUNTIME_FIELD_PATH_LEGACY = `${SPECIFIC_DATA_VIEW_PATH_LEGACY}/runtime_field`; +/** + * Path for runtime field + */ export const SPECIFIC_RUNTIME_FIELD_PATH = `${RUNTIME_FIELD_PATH}/{name}`; +/** + * Legacy path for runtime field + */ export const SPECIFIC_RUNTIME_FIELD_PATH_LEGACY = `${RUNTIME_FIELD_PATH_LEGACY}/{name}`; +/** + * Path to create scripted field + */ export const SCRIPTED_FIELD_PATH = `${SPECIFIC_DATA_VIEW_PATH}/scripted_field`; +/** + * Legacy path to create scripted field + */ export const SCRIPTED_FIELD_PATH_LEGACY = `${SPECIFIC_DATA_VIEW_PATH_LEGACY}/scripted_field`; +/** + * Path for scripted field + */ export const SPECIFIC_SCRIPTED_FIELD_PATH = `${SCRIPTED_FIELD_PATH}/{name}`; +/** + * Legacy path for scripted field + */ export const SPECIFIC_SCRIPTED_FIELD_PATH_LEGACY = `${SCRIPTED_FIELD_PATH_LEGACY}/{name}`; +/** + * name of service in path form + */ export const SERVICE_KEY = 'data_view'; +/** + * Legacy name of service in path form + */ export const SERVICE_KEY_LEGACY = 'index_pattern'; +/** + * Service keys as type + */ export type SERVICE_KEY_TYPE = typeof SERVICE_KEY | typeof SERVICE_KEY_LEGACY; - -export const CREATE_DATA_VIEW_COUNTER_NAME = `POST ${DATA_VIEW_PATH}`; diff --git a/src/plugins/data_views/server/data_views_service_factory.ts b/src/plugins/data_views/server/data_views_service_factory.ts index 570ced7b62580..f1501b19ca438 100644 --- a/src/plugins/data_views/server/data_views_service_factory.ts +++ b/src/plugins/data_views/server/data_views_service_factory.ts @@ -20,23 +20,25 @@ import { UiSettingsServerToCommon } from './ui_settings_wrapper'; import { IndexPatternsApiServer } from './index_patterns_api_client'; import { SavedObjectsClientServerToCommon } from './saved_objects_client_wrapper'; -export const dataViewsServiceFactory = ({ - logger, - uiSettings, - fieldFormats, - capabilities, -}: { +interface DataViewsServiceFactoryDeps { logger: Logger; uiSettings: UiSettingsServiceStart; fieldFormats: FieldFormatsStart; capabilities: CoreStart['capabilities']; -}) => +} + +/** + * Creates a new DataViewsService instance. + * @param deps - Dependencies required by the DataViewsService + */ +export const dataViewsServiceFactory = (deps: DataViewsServiceFactoryDeps) => async function ( savedObjectsClient: SavedObjectsClientContract, elasticsearchClient: ElasticsearchClient, request?: KibanaRequest, byPassCapabilities?: boolean ) { + const { logger, uiSettings, fieldFormats, capabilities } = deps; const uiSettingsClient = uiSettings.asScopedToClient(savedObjectsClient); const formats = await fieldFormats.fieldFormatServiceFactory(uiSettingsClient); diff --git a/src/plugins/data_views/server/expressions/load_index_pattern.ts b/src/plugins/data_views/server/expressions/load_index_pattern.ts index 091a6aa2c3817..bfa44f9469da5 100644 --- a/src/plugins/data_views/server/expressions/load_index_pattern.ts +++ b/src/plugins/data_views/server/expressions/load_index_pattern.ts @@ -80,10 +80,10 @@ export function getIndexPatternLoad({ }) { return getFunctionDefinition({ getStartDependencies: async (request: KibanaRequest) => { - const [{ elasticsearch, savedObjects }, , { indexPatternsServiceFactory }] = + const [{ elasticsearch, savedObjects }, , { dataViewsServiceFactory }] = await getStartServices(); return { - indexPatterns: await indexPatternsServiceFactory( + indexPatterns: await dataViewsServiceFactory( savedObjects.getScopedClient(request), elasticsearch.client.asScoped(request).asCurrentUser, request diff --git a/src/plugins/data_views/server/fetcher/lib/map_capabilities.ts b/src/plugins/data_views/server/fetcher/lib/map_capabilities.ts index 19d3c244f4654..e2076a373d489 100644 --- a/src/plugins/data_views/server/fetcher/lib/map_capabilities.ts +++ b/src/plugins/data_views/server/fetcher/lib/map_capabilities.ts @@ -8,6 +8,12 @@ import { mergeJobConfigurations } from './jobs_compatibility'; +/** + * Get rollup job capabilities + * @public + * @param indices rollup job index capabilites + */ + export function getCapabilitiesForRollupIndices(indices: Record) { const indexNames = Object.keys(indices); const capabilities = {} as { [key: string]: any }; diff --git a/src/plugins/data_views/server/has_user_index_pattern.ts b/src/plugins/data_views/server/has_user_index_pattern.ts index b2ef306054582..7473ff6d35d3f 100644 --- a/src/plugins/data_views/server/has_user_index_pattern.ts +++ b/src/plugins/data_views/server/has_user_index_pattern.ts @@ -11,7 +11,7 @@ import { SavedObjectsClientContract, SavedObjectsFindResponse, } from '@kbn/core/server'; -import { IndexPatternSavedObjectAttrs } from '../common/data_views'; +import { DataViewSavedObjectAttrs } from '../common/data_views'; import { DEFAULT_ASSETS_TO_IGNORE } from '../common/constants'; interface Deps { @@ -22,8 +22,8 @@ interface Deps { export const getIndexPattern = async ({ esClient, soClient, -}: Deps): Promise> => - soClient.find({ +}: Deps): Promise> => + soClient.find({ type: 'index-pattern', fields: ['title'], search: `*`, @@ -33,7 +33,7 @@ export const getIndexPattern = async ({ export const hasUserIndexPattern = async ( { esClient, soClient }: Deps, - indexPatterns?: SavedObjectsFindResponse + indexPatterns?: SavedObjectsFindResponse ): Promise => { if (!indexPatterns) { indexPatterns = await getIndexPattern({ esClient, soClient }); diff --git a/src/plugins/data_views/server/index.ts b/src/plugins/data_views/server/index.ts index 6558d75c50a46..e9eb7f0b50a3f 100644 --- a/src/plugins/data_views/server/index.ts +++ b/src/plugins/data_views/server/index.ts @@ -8,13 +8,12 @@ export { getFieldByName, findIndexPatternById } from './utils'; export type { FieldDescriptor } from './fetcher'; -export { - IndexPatternsFetcher, - shouldReadFieldFromDocValues, - mergeCapabilitiesWithFields, - getCapabilitiesForRollupIndices, -} from './fetcher'; -export type { IndexPatternsServiceStart } from './types'; +export { IndexPatternsFetcher, getCapabilitiesForRollupIndices } from './fetcher'; +export type { + DataViewsServerPluginStart, + DataViewsServerPluginSetupDependencies, + DataViewsServerPluginStartDependencies, +} from './types'; import { PluginInitializerContext } from '@kbn/core/server'; import { DataViewsServerPlugin } from './plugin'; @@ -56,3 +55,6 @@ export { } from './constants'; export type { SERVICE_KEY_TYPE } from './constants'; + +export type { FieldSpec, SavedObjectsClientCommon } from '../common/types'; +export { DataViewsService, DataView } from '../common/data_views'; diff --git a/src/plugins/data_views/server/index_patterns_api_client.ts b/src/plugins/data_views/server/index_patterns_api_client.ts index 81003f6bfb60a..0cdcb55a61667 100644 --- a/src/plugins/data_views/server/index_patterns_api_client.ts +++ b/src/plugins/data_views/server/index_patterns_api_client.ts @@ -49,6 +49,9 @@ export class IndexPatternsApiServer implements IDataViewsApiClient { }); } + /** + * Is there a user created data view? + */ async hasUserIndexPattern() { return hasUserIndexPattern({ esClient: this.esClient, diff --git a/src/plugins/data_views/server/mocks.ts b/src/plugins/data_views/server/mocks.ts index 361daf4b937d4..82595f7dc51a1 100644 --- a/src/plugins/data_views/server/mocks.ts +++ b/src/plugins/data_views/server/mocks.ts @@ -11,7 +11,6 @@ import { DataViewsService } from '../common'; export function createIndexPatternsStartMock() { const dataViewsServiceFactory = jest.fn().mockResolvedValue({ get: jest.fn() }); return { - indexPatternsServiceFactory: dataViewsServiceFactory, dataViewsServiceFactory, }; } @@ -29,4 +28,5 @@ export const dataViewsService = { getDefaultId: jest.fn(), updateSavedObject: jest.fn(), refreshFields: jest.fn(), + getIdsWithTitle: jest.fn(), } as unknown as jest.Mocked; diff --git a/src/plugins/data_views/server/plugin.ts b/src/plugins/data_views/server/plugin.ts index 6ec356a150bd5..9727495553fe0 100644 --- a/src/plugins/data_views/server/plugin.ts +++ b/src/plugins/data_views/server/plugin.ts @@ -65,7 +65,6 @@ export class DataViewsServerPlugin }); return { - indexPatternsServiceFactory: serviceFactory, dataViewsServiceFactory: serviceFactory, }; } diff --git a/src/plugins/data_views/server/register_index_pattern_usage_collection.ts b/src/plugins/data_views/server/register_index_pattern_usage_collection.ts index 9c005d531da23..484a1289a59f6 100644 --- a/src/plugins/data_views/server/register_index_pattern_usage_collection.ts +++ b/src/plugins/data_views/server/register_index_pattern_usage_collection.ts @@ -153,9 +153,9 @@ export function registerIndexPatternsUsageCollector( type: 'index-patterns', isReady: () => true, fetch: async () => { - const [{ savedObjects, elasticsearch }, , { indexPatternsServiceFactory }] = + const [{ savedObjects, elasticsearch }, , { dataViewsServiceFactory }] = await getStartServices(); - const indexPatternService = await indexPatternsServiceFactory( + const indexPatternService = await dataViewsServiceFactory( new SavedObjectsClient(savedObjects.createInternalRepository()), elasticsearch.client.asInternalUser ); diff --git a/src/plugins/data_views/server/rest_api_routes/create_data_view.ts b/src/plugins/data_views/server/rest_api_routes/create_data_view.ts index c35344f54c4fa..4244888a940d9 100644 --- a/src/plugins/data_views/server/rest_api_routes/create_data_view.ts +++ b/src/plugins/data_views/server/rest_api_routes/create_data_view.ts @@ -9,7 +9,8 @@ import { UsageCounter } from '@kbn/usage-collection-plugin/server'; import { schema } from '@kbn/config-schema'; import { IRouter, StartServicesAccessor } from '@kbn/core/server'; -import { DataViewSpec, DataViewsService } from '../../common'; +import { DataViewSpec } from '../../common/types'; +import { DataViewsService } from '../../common/data_views'; import { handleErrors } from './util/handle_errors'; import { fieldSpecSchema, runtimeFieldSchema, serializedFieldFormatSchema } from './util/schemas'; import type { DataViewsServerPluginStartDependencies, DataViewsServerPluginStart } from '../types'; diff --git a/src/plugins/data_views/server/rest_api_routes/get_data_views.test.ts b/src/plugins/data_views/server/rest_api_routes/get_data_views.test.ts new file mode 100644 index 0000000000000..216fe58693965 --- /dev/null +++ b/src/plugins/data_views/server/rest_api_routes/get_data_views.test.ts @@ -0,0 +1,23 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { getDataViews } from './get_data_views'; +import { dataViewsService } from '../mocks'; +import { getUsageCollection } from './test_utils'; + +describe('get all data views', () => { + it('call usageCollection', () => { + const usageCollection = getUsageCollection(); + getDataViews({ + dataViewsService, + counterName: 'GET /path', + usageCollection, + }); + expect(usageCollection.incrementCounter).toBeCalledTimes(1); + }); +}); diff --git a/src/plugins/data_views/server/rest_api_routes/get_data_views.ts b/src/plugins/data_views/server/rest_api_routes/get_data_views.ts new file mode 100644 index 0000000000000..f7a77d7e5c8d1 --- /dev/null +++ b/src/plugins/data_views/server/rest_api_routes/get_data_views.ts @@ -0,0 +1,77 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { UsageCounter } from '@kbn/usage-collection-plugin/server'; +import { IRouter, StartServicesAccessor } from '@kbn/core/server'; +import { DataViewsService } from '../../common'; +import { handleErrors } from './util/handle_errors'; +import type { DataViewsServerPluginStartDependencies, DataViewsServerPluginStart } from '../types'; +import { SERVICE_KEY, SERVICE_PATH } from '../constants'; + +interface GetDataViewsArgs { + dataViewsService: DataViewsService; + usageCollection?: UsageCounter; + counterName: string; +} + +export const getDataViews = async ({ + dataViewsService, + usageCollection, + counterName, +}: GetDataViewsArgs) => { + usageCollection?.incrementCounter({ counterName }); + return dataViewsService.getIdsWithTitle(); +}; + +const getDataViewsRouteFactory = + (path: string, serviceKey: string) => + ( + router: IRouter, + getStartServices: StartServicesAccessor< + DataViewsServerPluginStartDependencies, + DataViewsServerPluginStart + >, + usageCollection?: UsageCounter + ) => { + router.get( + { + path, + validate: {}, + }, + router.handleLegacyErrors( + handleErrors(async (ctx, req, res) => { + const core = await ctx.core; + const savedObjectsClient = core.savedObjects.client; + const elasticsearchClient = core.elasticsearch.client.asCurrentUser; + const [, , { dataViewsServiceFactory }] = await getStartServices(); + const dataViewsService = await dataViewsServiceFactory( + savedObjectsClient, + elasticsearchClient, + req + ); + + const dataViews = await getDataViews({ + dataViewsService, + usageCollection, + counterName: `${req.route.method} ${path}`, + }); + + return res.ok({ + headers: { + 'content-type': 'application/json', + }, + body: { + [serviceKey]: dataViews, + }, + }); + }) + ) + ); + }; + +export const registerGetDataViewsRoute = getDataViewsRouteFactory(SERVICE_PATH, SERVICE_KEY); diff --git a/src/plugins/data_views/server/rest_api_routes/index.ts b/src/plugins/data_views/server/rest_api_routes/index.ts index 3ed0ac6608e1e..812cda62ac1ef 100644 --- a/src/plugins/data_views/server/rest_api_routes/index.ts +++ b/src/plugins/data_views/server/rest_api_routes/index.ts @@ -14,6 +14,7 @@ import * as createRoutes from './create_data_view'; import * as defaultRoutes from './default_data_view'; import * as deleteRoutes from './delete_data_view'; import * as getRoutes from './get_data_view'; +import * as getAllRoutes from './get_data_views'; import * as hasRoutes from './has_user_data_view'; import * as updateRoutes from './update_data_view'; @@ -38,6 +39,7 @@ const routes = [ deleteRoutes.registerDeleteDataViewRouteLegacy, getRoutes.registerGetDataViewRoute, getRoutes.registerGetDataViewRouteLegacy, + getAllRoutes.registerGetDataViewsRoute, hasRoutes.registerHasUserDataViewRoute, hasRoutes.registerHasUserDataViewRouteLegacy, updateRoutes.registerUpdateDataViewRoute, diff --git a/src/plugins/data_views/server/rest_api_routes/runtime_fields/create_runtime_field.ts b/src/plugins/data_views/server/rest_api_routes/runtime_fields/create_runtime_field.ts index 5c9faaf2c8593..da3928c874930 100644 --- a/src/plugins/data_views/server/rest_api_routes/runtime_fields/create_runtime_field.ts +++ b/src/plugins/data_views/server/rest_api_routes/runtime_fields/create_runtime_field.ts @@ -9,7 +9,8 @@ import { UsageCounter } from '@kbn/usage-collection-plugin/server'; import { schema } from '@kbn/config-schema'; import { IRouter, StartServicesAccessor } from '@kbn/core/server'; -import { DataViewsService, RuntimeField } from '../../../common'; +import { DataViewsService } from '../../../common/data_views'; +import { RuntimeField } from '../../../common/types'; import { handleErrors } from '../util/handle_errors'; import { runtimeFieldSchema } from '../util/schemas'; import type { diff --git a/src/plugins/data_views/server/rest_api_routes/runtime_fields/get_runtime_field.ts b/src/plugins/data_views/server/rest_api_routes/runtime_fields/get_runtime_field.ts index 867766eec3124..f38c232c247f4 100644 --- a/src/plugins/data_views/server/rest_api_routes/runtime_fields/get_runtime_field.ts +++ b/src/plugins/data_views/server/rest_api_routes/runtime_fields/get_runtime_field.ts @@ -9,7 +9,7 @@ import { UsageCounter } from '@kbn/usage-collection-plugin/server'; import { schema } from '@kbn/config-schema'; import { IRouter, StartServicesAccessor } from '@kbn/core/server'; -import { DataViewsService } from '../../../common'; +import { DataViewsService } from '../../../common/data_views'; import { ErrorIndexPatternFieldNotFound } from '../../error'; import { handleErrors } from '../util/handle_errors'; import type { diff --git a/src/plugins/data_views/server/rest_api_routes/runtime_fields/put_runtime_field.ts b/src/plugins/data_views/server/rest_api_routes/runtime_fields/put_runtime_field.ts index 0f5399606dfdc..98378da328410 100644 --- a/src/plugins/data_views/server/rest_api_routes/runtime_fields/put_runtime_field.ts +++ b/src/plugins/data_views/server/rest_api_routes/runtime_fields/put_runtime_field.ts @@ -9,7 +9,8 @@ import { UsageCounter } from '@kbn/usage-collection-plugin/server'; import { schema } from '@kbn/config-schema'; import { IRouter, StartServicesAccessor } from '@kbn/core/server'; -import { DataViewsService, RuntimeField } from '../../../common'; +import { DataViewsService } from '../../../common/data_views'; +import { RuntimeField } from '../../../common/types'; import { handleErrors } from '../util/handle_errors'; import { runtimeFieldSchema } from '../util/schemas'; import type { diff --git a/src/plugins/data_views/server/rest_api_routes/runtime_fields/update_runtime_field.ts b/src/plugins/data_views/server/rest_api_routes/runtime_fields/update_runtime_field.ts index 1aaf1b112feed..880b4bc59b601 100644 --- a/src/plugins/data_views/server/rest_api_routes/runtime_fields/update_runtime_field.ts +++ b/src/plugins/data_views/server/rest_api_routes/runtime_fields/update_runtime_field.ts @@ -9,7 +9,8 @@ import { UsageCounter } from '@kbn/usage-collection-plugin/server'; import { schema } from '@kbn/config-schema'; import { IRouter, StartServicesAccessor } from '@kbn/core/server'; -import { DataViewsService, RuntimeField } from '../../../common'; +import { DataViewsService } from '../../../common/data_views'; +import { RuntimeField } from '../../../common/types'; import { ErrorIndexPatternFieldNotFound } from '../../error'; import { handleErrors } from '../util/handle_errors'; import { runtimeFieldSchema } from '../util/schemas'; diff --git a/src/plugins/data_views/server/rest_api_routes/scripted_fields/create_scripted_field.ts b/src/plugins/data_views/server/rest_api_routes/scripted_fields/create_scripted_field.ts index 759627f926762..a4a38c056d825 100644 --- a/src/plugins/data_views/server/rest_api_routes/scripted_fields/create_scripted_field.ts +++ b/src/plugins/data_views/server/rest_api_routes/scripted_fields/create_scripted_field.ts @@ -45,8 +45,8 @@ export const registerCreateScriptedFieldRoute = ( const core = await ctx.core; const savedObjectsClient = core.savedObjects.client; const elasticsearchClient = core.elasticsearch.client.asCurrentUser; - const [, , { indexPatternsServiceFactory }] = await getStartServices(); - const indexPatternsService = await indexPatternsServiceFactory( + const [, , { dataViewsServiceFactory }] = await getStartServices(); + const indexPatternsService = await dataViewsServiceFactory( savedObjectsClient, elasticsearchClient, req diff --git a/src/plugins/data_views/server/rest_api_routes/scripted_fields/delete_scripted_field.ts b/src/plugins/data_views/server/rest_api_routes/scripted_fields/delete_scripted_field.ts index 7e3333820e4e9..e381eb8f09bf3 100644 --- a/src/plugins/data_views/server/rest_api_routes/scripted_fields/delete_scripted_field.ts +++ b/src/plugins/data_views/server/rest_api_routes/scripted_fields/delete_scripted_field.ts @@ -46,8 +46,8 @@ export const registerDeleteScriptedFieldRoute = ( const core = await ctx.core; const savedObjectsClient = core.savedObjects.client; const elasticsearchClient = core.elasticsearch.client.asCurrentUser; - const [, , { indexPatternsServiceFactory }] = await getStartServices(); - const indexPatternsService = await indexPatternsServiceFactory( + const [, , { dataViewsServiceFactory }] = await getStartServices(); + const indexPatternsService = await dataViewsServiceFactory( savedObjectsClient, elasticsearchClient, req diff --git a/src/plugins/data_views/server/rest_api_routes/scripted_fields/get_scripted_field.ts b/src/plugins/data_views/server/rest_api_routes/scripted_fields/get_scripted_field.ts index befe30f8437f2..e5cf849205a55 100644 --- a/src/plugins/data_views/server/rest_api_routes/scripted_fields/get_scripted_field.ts +++ b/src/plugins/data_views/server/rest_api_routes/scripted_fields/get_scripted_field.ts @@ -46,8 +46,8 @@ export const registerGetScriptedFieldRoute = ( const core = await ctx.core; const savedObjectsClient = core.savedObjects.client; const elasticsearchClient = core.elasticsearch.client.asCurrentUser; - const [, , { indexPatternsServiceFactory }] = await getStartServices(); - const indexPatternsService = await indexPatternsServiceFactory( + const [, , { dataViewsServiceFactory }] = await getStartServices(); + const indexPatternsService = await dataViewsServiceFactory( savedObjectsClient, elasticsearchClient, req diff --git a/src/plugins/data_views/server/rest_api_routes/scripted_fields/put_scripted_field.ts b/src/plugins/data_views/server/rest_api_routes/scripted_fields/put_scripted_field.ts index 93312dd6d3cf6..e42c364fac8f0 100644 --- a/src/plugins/data_views/server/rest_api_routes/scripted_fields/put_scripted_field.ts +++ b/src/plugins/data_views/server/rest_api_routes/scripted_fields/put_scripted_field.ts @@ -45,8 +45,8 @@ export const registerPutScriptedFieldRoute = ( const core = await ctx.core; const savedObjectsClient = core.savedObjects.client; const elasticsearchClient = core.elasticsearch.client.asCurrentUser; - const [, , { indexPatternsServiceFactory }] = await getStartServices(); - const indexPatternsService = await indexPatternsServiceFactory( + const [, , { dataViewsServiceFactory }] = await getStartServices(); + const indexPatternsService = await dataViewsServiceFactory( savedObjectsClient, elasticsearchClient, req diff --git a/src/plugins/data_views/server/rest_api_routes/scripted_fields/update_scripted_field.ts b/src/plugins/data_views/server/rest_api_routes/scripted_fields/update_scripted_field.ts index ddc9d7ae552e8..642761a61b7cb 100644 --- a/src/plugins/data_views/server/rest_api_routes/scripted_fields/update_scripted_field.ts +++ b/src/plugins/data_views/server/rest_api_routes/scripted_fields/update_scripted_field.ts @@ -66,8 +66,8 @@ export const registerUpdateScriptedFieldRoute = ( const core = await ctx.core; const savedObjectsClient = core.savedObjects.client; const elasticsearchClient = core.elasticsearch.client.asCurrentUser; - const [, , { indexPatternsServiceFactory }] = await getStartServices(); - const indexPatternsService = await indexPatternsServiceFactory( + const [, , { dataViewsServiceFactory }] = await getStartServices(); + const indexPatternsService = await dataViewsServiceFactory( savedObjectsClient, elasticsearchClient, req diff --git a/src/plugins/data_views/server/rest_api_routes/update_data_view.ts b/src/plugins/data_views/server/rest_api_routes/update_data_view.ts index 424680f85b498..22598a8251096 100644 --- a/src/plugins/data_views/server/rest_api_routes/update_data_view.ts +++ b/src/plugins/data_views/server/rest_api_routes/update_data_view.ts @@ -9,7 +9,8 @@ import { schema } from '@kbn/config-schema'; import { UsageCounter } from '@kbn/usage-collection-plugin/server'; import { IRouter, StartServicesAccessor } from '@kbn/core/server'; -import { DataViewSpec, DataViewsService } from '../../common'; +import { DataViewsService } from '../../common/data_views'; +import { DataViewSpec } from '../../common/types'; import { handleErrors } from './util/handle_errors'; import { fieldSpecSchema, runtimeFieldSchema, serializedFieldFormatSchema } from './util/schemas'; import type { DataViewsServerPluginStartDependencies, DataViewsServerPluginStart } from '../types'; diff --git a/src/plugins/data_views/server/saved_objects_client_wrapper.ts b/src/plugins/data_views/server/saved_objects_client_wrapper.ts index 85b7710614536..d8755b9ff1be1 100644 --- a/src/plugins/data_views/server/saved_objects_client_wrapper.ts +++ b/src/plugins/data_views/server/saved_objects_client_wrapper.ts @@ -7,11 +7,8 @@ */ import { SavedObjectsClientContract, SavedObject } from '@kbn/core/server'; -import { - SavedObjectsClientCommon, - SavedObjectsClientCommonFindArgs, - DataViewSavedObjectConflictError, -} from '../common'; +import { SavedObjectsClientCommon, SavedObjectsClientCommonFindArgs } from '../common/types'; +import { DataViewSavedObjectConflictError } from '../common/errors'; export class SavedObjectsClientServerToCommon implements SavedObjectsClientCommon { private savedObjectClient: SavedObjectsClientContract; diff --git a/src/plugins/data_views/server/types.ts b/src/plugins/data_views/server/types.ts index 5e366b328275b..cce27ff305972 100644 --- a/src/plugins/data_views/server/types.ts +++ b/src/plugins/data_views/server/types.ts @@ -17,42 +17,74 @@ import { UsageCollectionSetup } from '@kbn/usage-collection-plugin/server'; import { FieldFormatsSetup, FieldFormatsStart } from '@kbn/field-formats-plugin/server'; import { DataViewsService } from '../common'; +/** + * Data Views service factory + */ type ServiceFactory = ( + /** + * Saved objects client + */ savedObjectsClient: SavedObjectsClientContract, + /** + * Elasticsearch client + */ elasticsearchClient: ElasticsearchClient, + /** + * Kibana request object + */ request?: KibanaRequest, + /** + * Ignore capabilities + */ byPassCapabilities?: boolean ) => Promise; + +/** + * DataViews server plugin start api + */ export interface DataViewsServerPluginStart { - dataViewsServiceFactory: ServiceFactory; /** - * @deprecated Renamed to dataViewsServiceFactory + * Returns a DataViews service instance */ - indexPatternsServiceFactory: ServiceFactory; -} - -export interface IndexPatternsServiceSetupDeps { - expressions: ExpressionsServerSetup; - usageCollection?: UsageCollectionSetup; -} - -export interface IndexPatternsServiceStartDeps { - fieldFormats: FieldFormatsStart; - logger: Logger; + dataViewsServiceFactory: ServiceFactory; } +/** + * DataViews server plugin setup api + */ // eslint-disable-next-line @typescript-eslint/no-empty-interface export interface DataViewsServerPluginSetup {} -export type IndexPatternsServiceStart = DataViewsServerPluginStart; - +/** + * Data Views server setup dependencies + * @public + */ export interface DataViewsServerPluginSetupDependencies { + /** + * File formats + */ fieldFormats: FieldFormatsSetup; + /** + * Expressions + */ expressions: ExpressionsServerSetup; + /** + * Usage collection + */ usageCollection?: UsageCollectionSetup; } +/** + * Data Views server start dependencies + * @public + */ export interface DataViewsServerPluginStartDependencies { + /** + * Field formats + */ fieldFormats: FieldFormatsStart; + /** + * Logger + */ logger: Logger; } diff --git a/src/plugins/data_views/server/utils.ts b/src/plugins/data_views/server/utils.ts index d5d6082dc5ab8..79374609cdaa0 100644 --- a/src/plugins/data_views/server/utils.ts +++ b/src/plugins/data_views/server/utils.ts @@ -9,6 +9,9 @@ import { SavedObjectsClientContract } from '@kbn/core/server'; import { DATA_VIEW_SAVED_OBJECT_TYPE, DataViewAttributes, SavedObject, FieldSpec } from '../common'; +/** + * @deprecated Use data views api instead + */ export const getFieldByName = ( fieldName: string, indexPattern: SavedObject @@ -19,6 +22,9 @@ export const getFieldByName = ( return field; }; +/** + * @deprecated Use data views api instead + */ export const findIndexPatternById = async ( savedObjectsClient: SavedObjectsClientContract, index: string diff --git a/src/plugins/discover/public/application/view_alert/view_alert_route.tsx b/src/plugins/discover/public/application/view_alert/view_alert_route.tsx index 7eaefcbcd3c52..41759a01b2b96 100644 --- a/src/plugins/discover/public/application/view_alert/view_alert_route.tsx +++ b/src/plugins/discover/public/application/view_alert/view_alert_route.tsx @@ -10,7 +10,8 @@ import { useEffect, useMemo } from 'react'; import { useHistory, useLocation, useParams } from 'react-router-dom'; import { sha256 } from 'js-sha256'; import type { Rule } from '@kbn/alerting-plugin/common'; -import { getTime, IndexPattern } from '@kbn/data-plugin/common'; +import { getTime } from '@kbn/data-plugin/common'; +import type { DataView } from '@kbn/data-views-plugin/public'; import type { Filter } from '@kbn/data-plugin/public'; import { DiscoverAppLocatorParams } from '../../locator'; import { useDiscoverServices } from '../../utils/use_discover_services'; @@ -26,7 +27,7 @@ const isActualAlert = (queryParams: QueryParams): queryParams is NonNullableEntr }; const buildTimeRangeFilter = ( - dataView: IndexPattern, + dataView: DataView, fetchedAlert: Rule, timeFieldName: string ) => { diff --git a/src/plugins/discover/public/services/saved_searches/get_saved_searches.test.ts b/src/plugins/discover/public/services/saved_searches/get_saved_searches.test.ts index 9f9fc86b0288e..3e103d6ea3699 100644 --- a/src/plugins/discover/public/services/saved_searches/get_saved_searches.test.ts +++ b/src/plugins/discover/public/services/saved_searches/get_saved_searches.test.ts @@ -127,6 +127,7 @@ describe('getSavedSearch', () => { "setFields": [MockFunction], "setOverwriteDataViewType": [MockFunction], "setParent": [MockFunction], + "toExpressionAst": [MockFunction], }, "sharingSavedObjectProps": Object { "aliasPurpose": undefined, diff --git a/src/plugins/discover/public/services/saved_searches/saved_searches_utils.test.ts b/src/plugins/discover/public/services/saved_searches/saved_searches_utils.test.ts index 9b42d7557b05c..f0958737d3b79 100644 --- a/src/plugins/discover/public/services/saved_searches/saved_searches_utils.test.ts +++ b/src/plugins/discover/public/services/saved_searches/saved_searches_utils.test.ts @@ -44,6 +44,9 @@ describe('saved_searches_utils', () => { "rowHeight": undefined, "searchSource": SearchSource { "dependencies": Object { + "aggs": Object { + "createAggConfigs": [MockFunction], + }, "getConfig": [MockFunction], "onResponse": [MockFunction], "search": [MockFunction], diff --git a/src/plugins/discover/public/utils/get_sharing_data.test.ts b/src/plugins/discover/public/utils/get_sharing_data.test.ts index 63031f689fb33..a1334e3b1b9fa 100644 --- a/src/plugins/discover/public/utils/get_sharing_data.test.ts +++ b/src/plugins/discover/public/utils/get_sharing_data.test.ts @@ -146,13 +146,13 @@ describe('getSharingData', () => { services ); expect(getSearchSource().fields).toStrictEqual([ - 'cool-timefield', - 'cool-field-1', - 'cool-field-2', - 'cool-field-3', - 'cool-field-4', - 'cool-field-5', - 'cool-field-6', + { field: 'cool-timefield', include_unmapped: 'true' }, + { field: 'cool-field-1', include_unmapped: 'true' }, + { field: 'cool-field-2', include_unmapped: 'true' }, + { field: 'cool-field-3', include_unmapped: 'true' }, + { field: 'cool-field-4', include_unmapped: 'true' }, + { field: 'cool-field-5', include_unmapped: 'true' }, + { field: 'cool-field-6', include_unmapped: 'true' }, ]); }); diff --git a/src/plugins/discover/public/utils/get_sharing_data.ts b/src/plugins/discover/public/utils/get_sharing_data.ts index 2e3e385ce71ff..66a6a6f1eed10 100644 --- a/src/plugins/discover/public/utils/get_sharing_data.ts +++ b/src/plugins/discover/public/utils/get_sharing_data.ts @@ -96,7 +96,10 @@ export async function getSharingData( */ const useFieldsApi = !config.get(SEARCH_FIELDS_FROM_SOURCE); if (useFieldsApi && columns.length) { - searchSource.setField('fields', columns); + searchSource.setField( + 'fields', + columns.map((field) => ({ field, include_unmapped: 'true' })) + ); } return searchSource.getSerializedFields(true); }, diff --git a/src/plugins/kibana_react/public/table_list_view/__snapshots__/table_list_view.test.tsx.snap b/src/plugins/kibana_react/public/table_list_view/__snapshots__/table_list_view.test.tsx.snap index 2ad9af679e8c6..1f99e74ef97dc 100644 --- a/src/plugins/kibana_react/public/table_list_view/__snapshots__/table_list_view.test.tsx.snap +++ b/src/plugins/kibana_react/public/table_list_view/__snapshots__/table_list_view.test.tsx.snap @@ -132,14 +132,14 @@ exports[`TableListView render list view 1`] = ` onChange={[Function]} pagination={ Object { - "initialPageIndex": 0, - "initialPageSize": 5, + "pageIndex": 0, + "pageSize": 20, "pageSizeOptions": Array [ 10, 20, - 5, 50, ], + "totalItemCount": 1, } } responsive={true} @@ -156,11 +156,6 @@ exports[`TableListView render list view 1`] = ` "toolsLeft": undefined, } } - sorting={ - Object { - "sort": undefined, - } - } tableCaption="test caption" tableLayout="fixed" /> diff --git a/src/plugins/kibana_react/public/table_list_view/table_list_view.test.tsx b/src/plugins/kibana_react/public/table_list_view/table_list_view.test.tsx index ba76a6b879e61..0c4d935f524d0 100644 --- a/src/plugins/kibana_react/public/table_list_view/table_list_view.test.tsx +++ b/src/plugins/kibana_react/public/table_list_view/table_list_view.test.tsx @@ -27,9 +27,9 @@ jest.mock('lodash', () => { const requiredProps: TableListViewProps> = { entityName: 'test', entityNamePlural: 'tests', - listingLimit: 5, + listingLimit: 500, initialFilter: '', - initialPageSize: 5, + initialPageSize: 20, tableColumns: [], tableListTitle: 'test title', rowHeader: 'name', @@ -245,4 +245,80 @@ describe('TableListView', () => { ]); }); }); + + describe('pagination', () => { + let testBed: TestBed; + + const tableColumns = [ + { + field: 'title', + name: 'Title', + sortable: true, + }, + ]; + + const initialPageSize = 20; + const totalItems = 30; + + const hits = new Array(totalItems).fill(' ').map((_, i) => ({ + title: `Item ${i < 10 ? `0${i}` : i}`, // prefix with "0" for correct A-Z sorting + })); + + const findItems = jest.fn().mockResolvedValue({ total: hits.length, hits }); + + const defaultProps: TableListViewProps> = { + ...requiredProps, + initialPageSize, + tableColumns, + findItems, + createItem: () => undefined, + }; + + const setup = registerTestBed(TableListView, { defaultProps }); + + test('should limit the number of row to the `initialPageSize` provided', async () => { + await act(async () => { + testBed = await setup(); + }); + + const { component, table } = testBed!; + component.update(); + + const { tableCellsValues } = table.getMetaData('itemsInMemTable'); + expect(tableCellsValues.length).toBe(requiredProps.initialPageSize); + + const [[firstRowTitle]] = tableCellsValues; + const [lastRowTitle] = tableCellsValues[tableCellsValues.length - 1]; + + expect(firstRowTitle).toBe('Item 00'); + expect(lastRowTitle).toBe('Item 19'); + }); + + test('should navigate to page 2', async () => { + await act(async () => { + testBed = await setup(); + }); + + const { component, table } = testBed!; + component.update(); + + const pageLinks = component.find('.euiPagination__list .euiPagination__item'); + expect(pageLinks.length).toBe(Math.ceil(totalItems / initialPageSize)); + + act(() => { + // Click on page 2 + pageLinks.at(1).find('a').simulate('click'); + }); + component.update(); + + const { tableCellsValues } = table.getMetaData('itemsInMemTable'); + expect(tableCellsValues.length).toBe(totalItems - initialPageSize); + + const [[firstRowTitle]] = tableCellsValues; + const [lastRowTitle] = tableCellsValues[tableCellsValues.length - 1]; + + expect(firstRowTitle).toBe('Item 20'); + expect(lastRowTitle).toBe('Item 29'); + }); + }); }); diff --git a/src/plugins/kibana_react/public/table_list_view/table_list_view.tsx b/src/plugins/kibana_react/public/table_list_view/table_list_view.tsx index 5baaaa78b76ec..30d5d4ff1b373 100644 --- a/src/plugins/kibana_react/public/table_list_view/table_list_view.tsx +++ b/src/plugins/kibana_react/public/table_list_view/table_list_view.tsx @@ -13,7 +13,8 @@ import { EuiConfirmModal, EuiEmptyPrompt, EuiInMemoryTable, - Criteria, + Pagination, + CriteriaWithPagination, PropertySort, Direction, EuiLink, @@ -78,6 +79,7 @@ export interface TableListViewState { filter: string; selectedIds: string[]; totalItems: number; + pagination: Pagination; tableSort?: { field: keyof V; direction: Direction; @@ -93,18 +95,11 @@ class TableListView extends React.Component< TableListViewProps, TableListViewState > { - private pagination = {}; private _isMounted = false; constructor(props: TableListViewProps) { super(props); - this.pagination = { - initialPageIndex: 0, - initialPageSize: props.initialPageSize, - pageSizeOptions: uniq([10, 20, 50, props.initialPageSize]).sort(), - }; - this.state = { items: [], totalItems: 0, @@ -116,6 +111,12 @@ class TableListView extends React.Component< showLimitError: false, filter: props.initialFilter, selectedIds: [], + pagination: { + pageIndex: 0, + totalItemCount: 0, + pageSize: props.initialPageSize, + pageSizeOptions: uniq([10, 20, 50, props.initialPageSize]).sort(), + }, }; } @@ -149,6 +150,10 @@ class TableListView extends React.Component< direction: 'desc' as const, } : prev.tableSort, + pagination: { + ...prev.pagination, + totalItemCount: this.state.items.length, + }, }; }); } @@ -454,7 +459,19 @@ class TableListView extends React.Component< ); } - onTableChange(criteria: Criteria) { + onTableChange(criteria: CriteriaWithPagination) { + this.setState((prev) => { + const tableSort = criteria.sort ?? prev.tableSort; + return { + pagination: { + ...prev.pagination, + pageIndex: criteria.page.index, + pageSize: criteria.page.size, + }, + tableSort, + }; + }); + if (criteria.sort) { this.setState({ tableSort: criteria.sort }); } @@ -499,12 +516,12 @@ class TableListView extends React.Component< itemId="id" items={this.state.items} columns={this.getTableColumns()} - pagination={this.pagination} + pagination={this.state.pagination} loading={this.state.isFetchingItems} message={noItemsMessage} selection={selection} search={search} - sorting={{ sort: this.state.tableSort as PropertySort }} + sorting={this.state.tableSort ? { sort: this.state.tableSort as PropertySort } : undefined} onChange={this.onTableChange.bind(this)} data-test-subj="itemsInMemTable" rowHeader={this.props.rowHeader} diff --git a/src/plugins/saved_objects/public/saved_object/helpers/apply_es_resp.ts b/src/plugins/saved_objects/public/saved_object/helpers/apply_es_resp.ts index d26f0e5c602f7..afa303bbbbd2e 100644 --- a/src/plugins/saved_objects/public/saved_object/helpers/apply_es_resp.ts +++ b/src/plugins/saved_objects/public/saved_object/helpers/apply_es_resp.ts @@ -8,11 +8,8 @@ import { cloneDeep, defaults, forOwn, assign } from 'lodash'; import { SavedObjectNotFound } from '@kbn/kibana-utils-plugin/public'; -import { - IndexPattern, - injectSearchSourceReferences, - parseSearchSourceJSON, -} from '@kbn/data-plugin/public'; +import { injectSearchSourceReferences, parseSearchSourceJSON } from '@kbn/data-plugin/public'; +import type { DataView } from '@kbn/data-views-plugin/public'; import { EsResponse, SavedObject, SavedObjectConfig, SavedObjectKibanaServices } from '../../types'; import { expandShorthand } from './field_mapping'; @@ -37,7 +34,7 @@ export async function applyESResp( delete resp._source.kibanaSavedObjectMeta; if (!config.indexPattern && savedObject._source.indexPattern) { - config.indexPattern = savedObject._source.indexPattern as IndexPattern; + config.indexPattern = savedObject._source.indexPattern as DataView; delete savedObject._source.indexPattern; } diff --git a/src/plugins/saved_objects/public/types.ts b/src/plugins/saved_objects/public/types.ts index a7a3029db1ba1..1159a02dc0c33 100644 --- a/src/plugins/saved_objects/public/types.ts +++ b/src/plugins/saved_objects/public/types.ts @@ -13,13 +13,9 @@ import { SavedObjectAttributes, SavedObjectReference, } from '@kbn/core/public'; -import { - IndexPattern, - ISearchSource, - ISearchStart, - SerializedSearchSourceFields, -} from '@kbn/data-plugin/public'; +import { ISearchSource, ISearchStart, SerializedSearchSourceFields } from '@kbn/data-plugin/public'; import { DataViewsContract } from '@kbn/data-views-plugin/public'; +import type { DataView } from '@kbn/data-views-plugin/common'; /** * @deprecated @@ -37,7 +33,7 @@ export interface SavedObject { getDisplayName: () => string; getEsType: () => string; getFullPath: () => string; - hydrateIndexPattern?: (id?: string) => Promise; + hydrateIndexPattern?: (id?: string) => Promise; id?: string; init?: () => Promise; isSaving: boolean; @@ -85,7 +81,7 @@ export interface SavedObjectConfig { injectReferences?: (object: T, references: SavedObjectReference[]) => void; id?: string; init?: () => void; - indexPattern?: IndexPattern; + indexPattern?: DataView; mapping?: Record; migrationVersion?: Record; path?: string; diff --git a/src/plugins/unified_search/public/actions/apply_filter_action.ts b/src/plugins/unified_search/public/actions/apply_filter_action.ts index 465d6d33890de..e890cd94375c3 100644 --- a/src/plugins/unified_search/public/actions/apply_filter_action.ts +++ b/src/plugins/unified_search/public/actions/apply_filter_action.ts @@ -11,8 +11,8 @@ import { ThemeServiceSetup } from '@kbn/core/public'; import { toMountPoint } from '@kbn/kibana-react-plugin/public'; import { Action, createAction, IncompatibleActionError } from '@kbn/ui-actions-plugin/public'; // for cleanup esFilters need to fix the issue https://github.com/elastic/kibana/issues/131292 -import { FilterManager, TimefilterContract, esFilters } from '@kbn/data-plugin/public'; -import type { Filter } from '@kbn/es-query'; +import { FilterManager, TimefilterContract } from '@kbn/data-plugin/public'; +import type { Filter, RangeFilter } from '@kbn/es-query'; import { getOverlays, getIndexPatterns } from '../services'; import { applyFiltersPopover } from '../apply_filters'; @@ -103,13 +103,14 @@ export function createFilterAction( } if (timeFieldName) { - const { timeRangeFilter, restOfFilters } = esFilters.extractTimeFilter( + const { extractTimeFilter } = await import('@kbn/es-query'); + const { timeRangeFilter, restOfFilters } = extractTimeFilter( timeFieldName, selectedFilters ); filterManager.addFilters(restOfFilters); if (timeRangeFilter) { - esFilters.changeTimeFilter(timeFilter, timeRangeFilter); + changeTimeFilter(timeFilter, timeRangeFilter); } } else { filterManager.addFilters(selectedFilters); @@ -117,3 +118,8 @@ export function createFilterAction( }, }); } + +async function changeTimeFilter(timeFilter: TimefilterContract, filter: RangeFilter) { + const { convertRangeFilterToTimeRange } = await import('@kbn/es-query'); + timeFilter.setTime(convertRangeFilterToTimeRange(filter)); +} diff --git a/src/plugins/unified_search/public/autocomplete/providers/kql_query_suggestion/field.test.ts b/src/plugins/unified_search/public/autocomplete/providers/kql_query_suggestion/field.test.ts index 085ba3dc0979f..1c8f98afec470 100644 --- a/src/plugins/unified_search/public/autocomplete/providers/kql_query_suggestion/field.test.ts +++ b/src/plugins/unified_search/public/autocomplete/providers/kql_query_suggestion/field.test.ts @@ -13,6 +13,7 @@ import type { KueryNode } from '@kbn/es-query'; import { setupGetFieldSuggestions } from './field'; import { QuerySuggestionGetFnArgs } from '../query_suggestion_provider'; import { coreMock } from '@kbn/core/public/mocks'; +import type { DataViewField } from '@kbn/data-views-plugin/public'; const mockKueryNode = (kueryNode: Partial) => kueryNode as unknown as KueryNode; @@ -39,7 +40,9 @@ describe('Kuery field suggestions', () => { querySuggestionsArgs, mockKueryNode({ prefix, suffix }) ); - const filterableFields = indexPatternResponse.fields.filter(indexPatternsUtils.isFilterable); + const filterableFields = (indexPatternResponse.fields as DataViewField[]).filter( + indexPatternsUtils.isFilterable + ); expect(suggestions.length).toBe(filterableFields.length); }); diff --git a/src/plugins/unified_search/public/autocomplete/providers/kql_query_suggestion/field.tsx b/src/plugins/unified_search/public/autocomplete/providers/kql_query_suggestion/field.tsx index 37f9c4658b81a..1df09621aee91 100644 --- a/src/plugins/unified_search/public/autocomplete/providers/kql_query_suggestion/field.tsx +++ b/src/plugins/unified_search/public/autocomplete/providers/kql_query_suggestion/field.tsx @@ -6,14 +6,14 @@ * Side Public License, v 1. */ -// for replace IFieldType => DataViewField need to fix the issue https://github.com/elastic/kibana/issues/131292 -import { IFieldType, indexPatterns as indexPatternsUtils } from '@kbn/data-plugin/public'; +import { indexPatterns as indexPatternsUtils } from '@kbn/data-plugin/public'; +import type { DataViewField } from '@kbn/data-views-plugin/public'; import { flatten } from 'lodash'; import { sortPrefixFirst } from './sort_prefix_first'; import { QuerySuggestionField, QuerySuggestionTypes } from '../query_suggestion_provider'; import { KqlQuerySuggestionProvider } from './types'; -const keywordComparator = (first: IFieldType, second: IFieldType) => { +const keywordComparator = (first: DataViewField, second: DataViewField) => { const extensions = ['raw', 'keyword']; if (extensions.map((ext) => `${first.name}.${ext}`).includes(second.name)) { return 1; @@ -32,7 +32,8 @@ export const setupGetFieldSuggestions: KqlQuerySuggestionProvider { return indexPattern.fields.filter(indexPatternsUtils.isFilterable); }) - ); + // temp until IIndexPattern => DataView + ) as DataViewField[]; const search = `${prefix}${suffix}`.trim().toLowerCase(); const matchingFields = allFields.filter((field) => { const subTypeNested = indexPatternsUtils.getFieldSubtypeNested(field); diff --git a/src/plugins/unified_search/public/autocomplete/providers/kql_query_suggestion/value.ts b/src/plugins/unified_search/public/autocomplete/providers/kql_query_suggestion/value.ts index 0bbf416d99a2e..57c4db1cbf1f7 100644 --- a/src/plugins/unified_search/public/autocomplete/providers/kql_query_suggestion/value.ts +++ b/src/plugins/unified_search/public/autocomplete/providers/kql_query_suggestion/value.ts @@ -8,9 +8,7 @@ import { flatten } from 'lodash'; import { CoreSetup } from '@kbn/core/public'; -// for replace IIndexPattern => DataView and IFieldType => DataViewField -// need to fix the issue https://github.com/elastic/kibana/issues/131292 -import type { IIndexPattern, IFieldType } from '@kbn/data-views-plugin/common'; +import type { DataView, DataViewField } from '@kbn/data-views-plugin/common'; import { escapeQuotes } from './lib/escape_kuery'; import { KqlQuerySuggestionProvider } from './types'; import type { UnifiedSearchPublicPluginStart } from '../../../types'; @@ -38,7 +36,7 @@ export const setupGetValueSuggestions: KqlQuerySuggestionProvider = ( ): Promise => { const fullFieldName = nestedPath ? `${nestedPath}.${fieldName}` : fieldName; - const indexPatternFieldEntries: Array<[IIndexPattern, IFieldType]> = []; + const indexPatternFieldEntries: Array<[DataView, DataViewField]> = []; indexPatterns.forEach((indexPattern) => { indexPattern.fields .filter((field) => field.name === fullFieldName) diff --git a/src/plugins/unified_search/public/autocomplete/providers/query_suggestion_provider.ts b/src/plugins/unified_search/public/autocomplete/providers/query_suggestion_provider.ts index 2e0e5c793f82f..f68bb73a4e50d 100644 --- a/src/plugins/unified_search/public/autocomplete/providers/query_suggestion_provider.ts +++ b/src/plugins/unified_search/public/autocomplete/providers/query_suggestion_provider.ts @@ -8,7 +8,7 @@ import { ValueSuggestionsMethod } from '@kbn/data-plugin/common'; // for replace IIndexPattern => DataView need to fix the issue https://github.com/elastic/kibana/issues/131292 -import type { DataViewField, IIndexPattern } from '@kbn/data-views-plugin/common'; +import type { DataViewField, DataView } from '@kbn/data-views-plugin/common'; export enum QuerySuggestionTypes { Field = 'field', @@ -25,7 +25,7 @@ export type QuerySuggestionGetFn = ( /** @public **/ export interface QuerySuggestionGetFnArgs { language: string; - indexPatterns: IIndexPattern[]; + indexPatterns: DataView[]; query: string; selectionStart: number; selectionEnd: number; diff --git a/src/plugins/unified_search/public/autocomplete/providers/value_suggestion_provider.test.ts b/src/plugins/unified_search/public/autocomplete/providers/value_suggestion_provider.test.ts index a17172a2b6072..310e3d402df34 100644 --- a/src/plugins/unified_search/public/autocomplete/providers/value_suggestion_provider.test.ts +++ b/src/plugins/unified_search/public/autocomplete/providers/value_suggestion_provider.test.ts @@ -12,6 +12,7 @@ import type { TimefilterSetup } from '@kbn/data-plugin/public'; import { UI_SETTINGS } from '@kbn/data-plugin/common'; import { setupValueSuggestionProvider } from './value_suggestion_provider'; import type { ValueSuggestionsGetFn } from './value_suggestion_provider'; +import type { DataView } from '@kbn/data-views-plugin/public'; describe('FieldSuggestions', () => { let getValueSuggestions: ValueSuggestionsGetFn; @@ -186,7 +187,7 @@ describe('FieldSuggestions', () => { ...stubIndexPattern, title: 'customIndexPattern', useTimeRange: false, - }; + } as unknown as DataView; await getValueSuggestions({ indexPattern: customIndexPattern, @@ -195,7 +196,7 @@ describe('FieldSuggestions', () => { useTimeRange: false, }); await getValueSuggestions({ - indexPattern: customIndexPattern, + indexPattern: customIndexPattern as unknown as DataView, field: fields[0], query: 'query', useTimeRange: false, diff --git a/src/plugins/unified_search/public/autocomplete/providers/value_suggestion_provider.ts b/src/plugins/unified_search/public/autocomplete/providers/value_suggestion_provider.ts index 8d08a9de2577d..f935cd9362b56 100644 --- a/src/plugins/unified_search/public/autocomplete/providers/value_suggestion_provider.ts +++ b/src/plugins/unified_search/public/autocomplete/providers/value_suggestion_provider.ts @@ -10,17 +10,15 @@ import { CoreSetup } from '@kbn/core/public'; import dateMath from '@kbn/datemath'; import { memoize } from 'lodash'; import { UI_SETTINGS, ValueSuggestionsMethod } from '@kbn/data-plugin/common'; -// for replace IIndexPattern => DataView and IFieldType => DataViewField -// need to fix the issue https://github.com/elastic/kibana/issues/131292 -import type { IIndexPattern, IFieldType } from '@kbn/data-views-plugin/common'; +import type { DataView, DataViewField } from '@kbn/data-views-plugin/common'; import type { TimefilterSetup } from '@kbn/data-plugin/public'; import { AutocompleteUsageCollector } from '../collectors'; export type ValueSuggestionsGetFn = (args: ValueSuggestionsGetFnArgs) => Promise; interface ValueSuggestionsGetFnArgs { - indexPattern: IIndexPattern; - field: IFieldType; + indexPattern: DataView; + field: DataViewField; query: string; useTimeRange?: boolean; boolFilter?: any[]; @@ -28,10 +26,7 @@ interface ValueSuggestionsGetFnArgs { method?: ValueSuggestionsMethod; } -const getAutocompleteTimefilter = ( - { timefilter }: TimefilterSetup, - indexPattern: IIndexPattern -) => { +const getAutocompleteTimefilter = ({ timefilter }: TimefilterSetup, indexPattern: DataView) => { const timeRange = timefilter.getTime(); // Use a rounded timerange so that memoizing works properly @@ -51,7 +46,7 @@ export const setupValueSuggestionProvider = ( usageCollector, }: { timefilter: TimefilterSetup; usageCollector?: AutocompleteUsageCollector } ): ValueSuggestionsGetFn => { - function resolver(title: string, field: IFieldType, query: string, filters: any[]) { + function resolver(title: string, field: DataViewField, query: string, filters: any[]) { // Only cache results for a minute const ttl = Math.floor(Date.now() / 1000 / 60); return [ttl, query, title, field.name, JSON.stringify(filters)].join('|'); @@ -60,7 +55,7 @@ export const setupValueSuggestionProvider = ( const requestSuggestions = memoize( ( index: string, - field: IFieldType, + field: DataViewField, query: string, filters: any = [], signal?: AbortSignal, diff --git a/src/plugins/unified_search/public/query_string_input/query_bar_menu.tsx b/src/plugins/unified_search/public/query_string_input/query_bar_menu.tsx index db6cbbe5385a6..7f63dd235e02f 100644 --- a/src/plugins/unified_search/public/query_string_input/query_bar_menu.tsx +++ b/src/plugins/unified_search/public/query_string_input/query_bar_menu.tsx @@ -17,9 +17,9 @@ import { EuiToolTip, } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; -import type { Filter, Query } from '@kbn/es-query'; +import type { Filter, Query, TimeRange } from '@kbn/es-query'; import type { DataView } from '@kbn/data-views-plugin/public'; -import type { TimeRange, SavedQueryService, SavedQuery } from '@kbn/data-plugin/public'; +import type { SavedQueryService, SavedQuery } from '@kbn/data-plugin/public'; import { QueryBarMenuPanels, QueryBarMenuPanelsProps } from './query_bar_menu_panels'; import { FilterEditorWrapper } from './filter_editor_wrapper'; diff --git a/src/plugins/unified_search/public/query_string_input/query_bar_menu_panels.tsx b/src/plugins/unified_search/public/query_string_input/query_bar_menu_panels.tsx index 9f8e70d6852a6..2b5dbf4999af1 100644 --- a/src/plugins/unified_search/public/query_string_input/query_bar_menu_panels.tsx +++ b/src/plugins/unified_search/public/query_string_input/query_bar_menu_panels.tsx @@ -19,6 +19,7 @@ import { import { Filter, Query, + TimeRange, enableFilter, disableFilter, toggleFilterNegated, @@ -28,12 +29,7 @@ import { import { METRIC_TYPE } from '@kbn/analytics'; import { useKibana } from '@kbn/kibana-react-plugin/public'; import { KIBANA_USER_QUERY_LANGUAGE_KEY, UI_SETTINGS } from '@kbn/data-plugin/common'; -import type { - IDataPluginServices, - TimeRange, - SavedQueryService, - SavedQuery, -} from '@kbn/data-plugin/public'; +import type { IDataPluginServices, SavedQueryService, SavedQuery } from '@kbn/data-plugin/public'; import { fromUser } from './from_user'; import { QueryLanguageSwitcher } from './language_switcher'; import { FilterPanelOption } from '../types'; diff --git a/src/plugins/unified_search/public/query_string_input/query_bar_top_row.tsx b/src/plugins/unified_search/public/query_string_input/query_bar_top_row.tsx index d62a7f79c82de..f982f4cc2280f 100644 --- a/src/plugins/unified_search/public/query_string_input/query_bar_top_row.tsx +++ b/src/plugins/unified_search/public/query_string_input/query_bar_top_row.tsx @@ -11,7 +11,7 @@ import classNames from 'classnames'; import React, { useCallback, useEffect, useMemo, useRef, useState } from 'react'; import deepEqual from 'fast-deep-equal'; import useObservable from 'react-use/lib/useObservable'; -import type { Filter } from '@kbn/es-query'; +import type { Filter, TimeRange } from '@kbn/es-query'; import { EMPTY } from 'rxjs'; import { map } from 'rxjs/operators'; import { @@ -27,7 +27,6 @@ import { } from '@elastic/eui'; import { IDataPluginServices, - TimeRange, TimeHistoryContract, Query, getQueryLog, diff --git a/src/plugins/unified_search/public/search_bar/create_search_bar.tsx b/src/plugins/unified_search/public/search_bar/create_search_bar.tsx index a90098ebcf156..a4e1988c0dfee 100644 --- a/src/plugins/unified_search/public/search_bar/create_search_bar.tsx +++ b/src/plugins/unified_search/public/search_bar/create_search_bar.tsx @@ -12,8 +12,8 @@ import { CoreStart } from '@kbn/core/public'; import { IStorageWrapper } from '@kbn/kibana-utils-plugin/public'; import { KibanaContextProvider } from '@kbn/kibana-react-plugin/public'; import { QueryStart, SavedQuery, DataPublicPluginStart } from '@kbn/data-plugin/public'; -import { Query, TimeRange } from '@kbn/data-plugin/common'; -import type { Filter } from '@kbn/es-query'; +import { Query } from '@kbn/data-plugin/common'; +import type { Filter, TimeRange } from '@kbn/es-query'; import { UsageCollectionSetup } from '@kbn/usage-collection-plugin/public'; import { SearchBar } from '.'; import type { SearchBarOwnProps } from '.'; diff --git a/src/plugins/unified_search/public/search_bar/lib/use_timefilter.ts b/src/plugins/unified_search/public/search_bar/lib/use_timefilter.ts index 66d69f414c55c..07a8e0e8ac1b5 100644 --- a/src/plugins/unified_search/public/search_bar/lib/use_timefilter.ts +++ b/src/plugins/unified_search/public/search_bar/lib/use_timefilter.ts @@ -8,7 +8,8 @@ import { useState, useEffect } from 'react'; import { Subscription } from 'rxjs'; -import { DataPublicPluginStart, TimeRange, RefreshInterval } from '@kbn/data-plugin/public'; +import { DataPublicPluginStart, RefreshInterval } from '@kbn/data-plugin/public'; +import type { TimeRange } from '@kbn/es-query'; interface UseTimefilterProps { dateRangeFrom?: string; diff --git a/src/plugins/unified_search/public/search_bar/search_bar.tsx b/src/plugins/unified_search/public/search_bar/search_bar.tsx index 2a5a02d2445be..aada686db3dc8 100644 --- a/src/plugins/unified_search/public/search_bar/search_bar.tsx +++ b/src/plugins/unified_search/public/search_bar/search_bar.tsx @@ -15,12 +15,11 @@ import { get, isEqual } from 'lodash'; import memoizeOne from 'memoize-one'; import { METRIC_TYPE } from '@kbn/analytics'; -import { Query, Filter } from '@kbn/es-query'; +import { Query, Filter, TimeRange } from '@kbn/es-query'; import { withKibana, KibanaReactContextValue } from '@kbn/kibana-react-plugin/public'; import type { TimeHistoryContract, SavedQuery } from '@kbn/data-plugin/public'; import type { SavedQueryAttributes } from '@kbn/data-plugin/common'; import { IDataPluginServices } from '@kbn/data-plugin/public'; -import { TimeRange } from '@kbn/data-plugin/common'; import { DataView } from '@kbn/data-views-plugin/public'; import { SavedQueryMeta, SaveQueryForm } from '../saved_query_form'; diff --git a/src/plugins/vis_default_editor/public/agg_filters/agg_type_field_filters.ts b/src/plugins/vis_default_editor/public/agg_filters/agg_type_field_filters.ts index a6ef90756d42b..28aeeb43098af 100644 --- a/src/plugins/vis_default_editor/public/agg_filters/agg_type_field_filters.ts +++ b/src/plugins/vis_default_editor/public/agg_filters/agg_type_field_filters.ts @@ -6,9 +6,10 @@ * Side Public License, v 1. */ -import { IAggConfig, IndexPatternField } from '@kbn/data-plugin/public'; +import { IAggConfig } from '@kbn/data-plugin/public'; +import { DataViewField } from '@kbn/data-views-plugin/public'; -type AggTypeFieldFilter = (field: IndexPatternField, aggConfig: IAggConfig) => boolean; +type AggTypeFieldFilter = (field: DataViewField, aggConfig: IAggConfig) => boolean; const filters: AggTypeFieldFilter[] = [ /** @@ -29,7 +30,7 @@ const filters: AggTypeFieldFilter[] = [ }, ]; -export function filterAggTypeFields(fields: IndexPatternField[], aggConfig: IAggConfig) { +export function filterAggTypeFields(fields: DataViewField[], aggConfig: IAggConfig) { const allowedAggTypeFields = fields.filter((field) => { const isAggTypeFieldAllowed = filters.every((filter) => filter(field, aggConfig)); return isAggTypeFieldAllowed; diff --git a/src/plugins/vis_default_editor/public/agg_filters/agg_type_filters.ts b/src/plugins/vis_default_editor/public/agg_filters/agg_type_filters.ts index 879c6f340bde7..d3b03324e9246 100644 --- a/src/plugins/vis_default_editor/public/agg_filters/agg_type_filters.ts +++ b/src/plugins/vis_default_editor/public/agg_filters/agg_type_filters.ts @@ -6,14 +6,15 @@ * Side Public License, v 1. */ -import { IAggType, IAggConfig, IndexPattern, search } from '@kbn/data-plugin/public'; +import { IAggType, IAggConfig, search } from '@kbn/data-plugin/public'; +import type { DataView } from '@kbn/data-views-plugin/public'; const { propFilter } = search.aggs; const filterByName = propFilter('name'); type AggTypeFilter = ( aggType: IAggType, - indexPattern: IndexPattern, + indexPattern: DataView, aggConfig: IAggConfig, aggFilter: string[] ) => boolean; @@ -50,7 +51,7 @@ const filters: AggTypeFilter[] = [ export function filterAggTypes( aggTypes: IAggType[], - indexPattern: IndexPattern, + indexPattern: DataView, aggConfig: IAggConfig, aggFilter: string[] ) { diff --git a/src/plugins/vis_default_editor/public/components/agg.test.tsx b/src/plugins/vis_default_editor/public/components/agg.test.tsx index b3688fefaee74..c6a4057c9b415 100644 --- a/src/plugins/vis_default_editor/public/components/agg.test.tsx +++ b/src/plugins/vis_default_editor/public/components/agg.test.tsx @@ -10,7 +10,8 @@ import React from 'react'; import { mount, shallow } from 'enzyme'; import { act } from 'react-dom/test-utils'; -import { IndexPattern, IAggType, AggGroupNames } from '@kbn/data-plugin/public'; +import { IAggType, AggGroupNames } from '@kbn/data-plugin/public'; +import type { DataView } from '@kbn/data-views-plugin/public'; import type { Schema } from '@kbn/visualizations-plugin/public'; import { DefaultEditorAgg, DefaultEditorAggProps } from './agg'; @@ -41,7 +42,7 @@ describe('DefaultEditorAgg component', () => { agg: { id: '1', brandNew: true, - getIndexPattern: () => ({} as IndexPattern), + getIndexPattern: () => ({} as DataView), schema: 'metric', title: 'Metrics', params: {}, diff --git a/src/plugins/vis_default_editor/public/components/agg_param_props.ts b/src/plugins/vis_default_editor/public/components/agg_param_props.ts index 98428967ab370..a72e3ec40ef9a 100644 --- a/src/plugins/vis_default_editor/public/components/agg_param_props.ts +++ b/src/plugins/vis_default_editor/public/components/agg_param_props.ts @@ -6,12 +6,8 @@ * Side Public License, v 1. */ -import { - IAggConfig, - AggParam, - IndexPatternField, - OptionedValueProp, -} from '@kbn/data-plugin/public'; +import { IAggConfig, AggParam, OptionedValueProp } from '@kbn/data-plugin/public'; +import { DataViewField } from '@kbn/data-views-plugin/public'; import type { Schema } from '@kbn/visualizations-plugin/public'; import { ComboBoxGroupedOptions } from '../utils'; import { EditorConfig } from './utils'; @@ -27,7 +23,7 @@ export interface AggParamCommonProps { disabled?: boolean; editorConfig: EditorConfig; formIsTouched: boolean; - indexedFields?: ComboBoxGroupedOptions; + indexedFields?: ComboBoxGroupedOptions; showValidation: boolean; state: EditorVisState; value?: T; diff --git a/src/plugins/vis_default_editor/public/components/agg_params.test.tsx b/src/plugins/vis_default_editor/public/components/agg_params.test.tsx index fd75b06c41250..ad62aa53fb51a 100644 --- a/src/plugins/vis_default_editor/public/components/agg_params.test.tsx +++ b/src/plugins/vis_default_editor/public/components/agg_params.test.tsx @@ -9,7 +9,8 @@ import React from 'react'; import { mount } from 'enzyme'; -import { IndexPattern, IAggConfig, AggGroupNames } from '@kbn/data-plugin/public'; +import { IAggConfig, AggGroupNames } from '@kbn/data-plugin/public'; +import type { DataView } from '@kbn/data-views-plugin/public'; import { DefaultEditorAggParams as PureDefaultEditorAggParams, DefaultEditorAggParamsProps, @@ -95,7 +96,7 @@ describe('DefaultEditorAggParams component', () => { } as any as IAggConfig, groupName: AggGroupNames.Metrics, formIsTouched: false, - indexPattern: {} as IndexPattern, + indexPattern: {} as DataView, metricAggs: [], state: {} as EditorVisState, setAggParamValue, diff --git a/src/plugins/vis_default_editor/public/components/agg_params.tsx b/src/plugins/vis_default_editor/public/components/agg_params.tsx index a664a0f1fe3fa..8e5d04a277814 100644 --- a/src/plugins/vis_default_editor/public/components/agg_params.tsx +++ b/src/plugins/vis_default_editor/public/components/agg_params.tsx @@ -11,7 +11,9 @@ import { EuiForm, EuiAccordion, EuiSpacer } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; import useUnmount from 'react-use/lib/useUnmount'; -import { IAggConfig, IndexPattern, AggGroupNames } from '@kbn/data-plugin/public'; +import { IAggConfig, AggGroupNames } from '@kbn/data-plugin/public'; +import type { DataView } from '@kbn/data-views-plugin/public'; + import type { Schema } from '@kbn/visualizations-plugin/public'; import { useKibana } from '@kbn/kibana-react-plugin/public'; @@ -46,7 +48,7 @@ export interface DefaultEditorAggParamsProps extends DefaultEditorCommonProps { aggIsTooLow?: boolean; className?: string; disabledParams?: string[]; - indexPattern: IndexPattern; + indexPattern: DataView; setValidity: (isValid: boolean) => void; setTouched: (isTouched: boolean) => void; schemas: Schema[]; diff --git a/src/plugins/vis_default_editor/public/components/agg_params_helper.test.ts b/src/plugins/vis_default_editor/public/components/agg_params_helper.test.ts index 7bf2328ab3b06..39ed0cc6d6fe0 100644 --- a/src/plugins/vis_default_editor/public/components/agg_params_helper.test.ts +++ b/src/plugins/vis_default_editor/public/components/agg_params_helper.test.ts @@ -6,13 +6,8 @@ * Side Public License, v 1. */ -import { - AggGroupNames, - BUCKET_TYPES, - IAggConfig, - IAggType, - IndexPattern, -} from '@kbn/data-plugin/public'; +import { AggGroupNames, BUCKET_TYPES, IAggConfig, IAggType } from '@kbn/data-plugin/public'; +import type { DataView } from '@kbn/data-views-plugin/public'; import type { Schema } from '@kbn/visualizations-plugin/public'; import { @@ -168,7 +163,7 @@ describe('DefaultEditorAggParams helpers', () => { describe('getAggTypeOptions', () => { it('should return agg type options grouped by subtype', () => { - const indexPattern = {} as IndexPattern; + const indexPattern = {} as DataView; const aggs = getAggTypeOptions( { metrics: [] }, {} as IAggConfig, diff --git a/src/plugins/vis_default_editor/public/components/agg_params_helper.ts b/src/plugins/vis_default_editor/public/components/agg_params_helper.ts index 5c51ac8dd4521..aaf1e968e9071 100644 --- a/src/plugins/vis_default_editor/public/components/agg_params_helper.ts +++ b/src/plugins/vis_default_editor/public/components/agg_params_helper.ts @@ -7,15 +7,8 @@ */ import { get, isEmpty } from 'lodash'; - -import { - IAggConfig, - AggParam, - IFieldParamType, - IAggType, - IndexPattern, - IndexPatternField, -} from '@kbn/data-plugin/public'; +import { IAggConfig, AggParam, IFieldParamType, IAggType } from '@kbn/data-plugin/public'; +import type { DataView, DataViewField } from '@kbn/data-views-plugin/public'; import type { Schema } from '@kbn/visualizations-plugin/public'; import { filterAggTypes, filterAggTypeFields } from '../agg_filters'; @@ -38,7 +31,7 @@ interface ParamInstanceBase { export interface ParamInstance extends ParamInstanceBase { aggParam: AggParam; - indexedFields: ComboBoxGroupedOptions; + indexedFields: ComboBoxGroupedOptions; paramEditor: React.ComponentType>; value: unknown; } @@ -66,8 +59,8 @@ function getAggParamsToRender({ const schema = getSchemaByName(schemas, agg.schema); // build collection of agg params components paramsToRender.forEach((param: AggParam, index: number) => { - let indexedFields: ComboBoxGroupedOptions = []; - let fields: IndexPatternField[]; + let indexedFields: ComboBoxGroupedOptions = []; + let fields: DataViewField[]; if (hideCustomLabel && param.name === 'customLabel') { return; @@ -77,7 +70,7 @@ function getAggParamsToRender({ } // if field param exists, compute allowed fields if (param.type === 'field') { - let availableFields: IndexPatternField[] = (param as IFieldParamType).getAvailableFields(agg); + let availableFields: DataViewField[] = (param as IFieldParamType).getAvailableFields(agg); // should be refactored in the future to provide a more general way // for visualization to override some agg config settings if (agg.type.name === 'top_hits' && param.name === 'field') { @@ -135,7 +128,7 @@ function getAggParamsToRender({ function getAggTypeOptions( aggTypes: any, agg: IAggConfig, - indexPattern: IndexPattern, + indexPattern: DataView, groupName: string, allowedAggs: string[] ): ComboBoxGroupedOptions { diff --git a/src/plugins/vis_default_editor/public/components/agg_select.tsx b/src/plugins/vis_default_editor/public/components/agg_select.tsx index dc0fc9b2ff22d..09aee4b217266 100644 --- a/src/plugins/vis_default_editor/public/components/agg_select.tsx +++ b/src/plugins/vis_default_editor/public/components/agg_select.tsx @@ -12,7 +12,8 @@ import React, { useEffect, useCallback, useState } from 'react'; import { EuiComboBox, EuiComboBoxOptionOption, EuiFormRow, EuiLink, EuiText } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; import { FormattedMessage } from '@kbn/i18n-react'; -import { IAggType, IndexPattern } from '@kbn/data-plugin/public'; +import { IAggType } from '@kbn/data-plugin/public'; +import type { DataView } from '@kbn/data-views-plugin/public'; import { DocLinksStart } from '@kbn/core/public'; import { useKibana } from '@kbn/kibana-react-plugin/public'; @@ -23,7 +24,7 @@ interface DefaultEditorAggSelectProps { aggError?: string; aggTypeOptions: ComboBoxGroupedOptions; id: string; - indexPattern: IndexPattern; + indexPattern: DataView; showValidation: boolean; isSubAggregation: boolean; value: IAggType; diff --git a/src/plugins/vis_default_editor/public/components/controls/field.test.tsx b/src/plugins/vis_default_editor/public/components/controls/field.test.tsx index af86377b179d1..aeac4fdbd46e8 100644 --- a/src/plugins/vis_default_editor/public/components/controls/field.test.tsx +++ b/src/plugins/vis_default_editor/public/components/controls/field.test.tsx @@ -11,7 +11,8 @@ import { act } from 'react-dom/test-utils'; import { mount, shallow, ReactWrapper } from 'enzyme'; import { EuiComboBoxProps, EuiComboBox } from '@elastic/eui'; -import { IAggConfig, IndexPatternField, AggParam } from '@kbn/data-plugin/public'; +import { IAggConfig, AggParam } from '@kbn/data-plugin/public'; +import { DataViewField } from '@kbn/data-views-plugin/public'; import { ComboBoxGroupedOptions } from '../../utils'; import { FieldParamEditor, FieldParamEditorProps } from './field'; import { EditorVisState } from '../sidebar/state/reducers'; @@ -29,11 +30,11 @@ describe('FieldParamEditor component', () => { let setTouched: jest.Mock; let onChange: jest.Mock; let defaultProps: FieldParamEditorProps; - let indexedFields: ComboBoxGroupedOptions; - let field: IndexPatternField; + let indexedFields: ComboBoxGroupedOptions; + let field: DataViewField; let option: { label: string; - target: IndexPatternField; + target: DataViewField; }; beforeEach(() => { @@ -42,7 +43,7 @@ describe('FieldParamEditor component', () => { setTouched = jest.fn(); onChange = jest.fn(); - field = { displayName: 'bytes', type: 'bytes' } as IndexPatternField; + field = { displayName: 'bytes', type: 'bytes' } as DataViewField; option = { label: 'bytes', target: field }; indexedFields = [ { diff --git a/src/plugins/vis_default_editor/public/components/controls/field.tsx b/src/plugins/vis_default_editor/public/components/controls/field.tsx index 88f00d073609e..33032ffef9903 100644 --- a/src/plugins/vis_default_editor/public/components/controls/field.tsx +++ b/src/plugins/vis_default_editor/public/components/controls/field.tsx @@ -13,13 +13,8 @@ import useMount from 'react-use/lib/useMount'; import { EuiComboBox, EuiComboBoxOptionOption, EuiFormRow } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; -import { - AggParam, - IAggConfig, - IFieldParamType, - IndexPatternField, - KBN_FIELD_TYPES, -} from '@kbn/data-plugin/public'; +import { AggParam, IAggConfig, IFieldParamType, KBN_FIELD_TYPES } from '@kbn/data-plugin/public'; +import { DataViewField } from '@kbn/data-views-plugin/public'; import { formatListAsProse, parseCommaSeparatedList, useValidation } from './utils'; import { AggParamEditorProps } from '../agg_param_props'; import { ComboBoxGroupedOptions } from '../../utils'; @@ -28,7 +23,7 @@ const label = i18n.translate('visDefaultEditor.controls.field.fieldLabel', { defaultMessage: 'Field', }); -export interface FieldParamEditorProps extends AggParamEditorProps { +export interface FieldParamEditorProps extends AggParamEditorProps { customError?: string; customLabel?: string; } @@ -46,12 +41,12 @@ function FieldParamEditor({ setValue, }: FieldParamEditorProps) { const [isDirty, setIsDirty] = useState(false); - const selectedOptions: ComboBoxGroupedOptions = value + const selectedOptions: ComboBoxGroupedOptions = value ? [{ label: value.displayName, target: value, key: value.name }] : []; const onChange = (options: EuiComboBoxOptionOption[]) => { - const selectedOption: IndexPatternField = get(options, '0.target'); + const selectedOption: DataViewField = get(options, '0.target'); if (!(aggParam.required && !selectedOption)) { setValue(selectedOption); } diff --git a/src/plugins/vis_default_editor/public/components/controls/top_field.tsx b/src/plugins/vis_default_editor/public/components/controls/top_field.tsx index a74025a578e15..0b9277c552479 100644 --- a/src/plugins/vis_default_editor/public/components/controls/top_field.tsx +++ b/src/plugins/vis_default_editor/public/components/controls/top_field.tsx @@ -9,12 +9,12 @@ import React from 'react'; import { i18n } from '@kbn/i18n'; -import { IndexPatternField } from '@kbn/data-plugin/public'; +import { DataViewField } from '@kbn/data-views-plugin/public'; import { FieldParamEditor } from './field'; import { getCompatibleAggs } from './top_aggregate'; import { AggParamEditorProps } from '../agg_param_props'; -function TopFieldParamEditor(props: AggParamEditorProps) { +function TopFieldParamEditor(props: AggParamEditorProps) { const compatibleAggs = getCompatibleAggs(props.agg); let customError; diff --git a/src/plugins/vis_default_editor/public/components/controls/top_sort_field.tsx b/src/plugins/vis_default_editor/public/components/controls/top_sort_field.tsx index 022d3ed779be0..9f7284ffb6311 100644 --- a/src/plugins/vis_default_editor/public/components/controls/top_sort_field.tsx +++ b/src/plugins/vis_default_editor/public/components/controls/top_sort_field.tsx @@ -9,11 +9,11 @@ import React from 'react'; import { i18n } from '@kbn/i18n'; -import { IndexPatternField } from '@kbn/data-plugin/public'; +import { DataViewField } from '@kbn/data-views-plugin/public'; import { FieldParamEditor } from './field'; import { AggParamEditorProps } from '../agg_param_props'; -function TopSortFieldParamEditor(props: AggParamEditorProps) { +function TopSortFieldParamEditor(props: AggParamEditorProps) { const customLabel = i18n.translate('visDefaultEditor.controls.sortOnLabel', { defaultMessage: 'Sort on', }); diff --git a/src/plugins/vis_default_editor/public/components/utils/editor_config.ts b/src/plugins/vis_default_editor/public/components/utils/editor_config.ts index b8e61d1910509..e078b34cd3c7b 100644 --- a/src/plugins/vis_default_editor/public/components/utils/editor_config.ts +++ b/src/plugins/vis_default_editor/public/components/utils/editor_config.ts @@ -7,7 +7,7 @@ */ import { i18n } from '@kbn/i18n'; -import { IndexPattern } from '@kbn/data-plugin/public'; +import type { DataView } from '@kbn/data-views-plugin/public'; /** * A hidden parameter can be hidden from the UI completely. @@ -49,7 +49,7 @@ export interface EditorConfig { } export function getEditorConfig( - indexPattern: IndexPattern, + indexPattern: DataView, aggTypeName: string, fieldName: string ): EditorConfig { diff --git a/src/plugins/vis_default_editor/tsconfig.json b/src/plugins/vis_default_editor/tsconfig.json index c2e677108c08a..b6edd0176bfd0 100644 --- a/src/plugins/vis_default_editor/tsconfig.json +++ b/src/plugins/vis_default_editor/tsconfig.json @@ -17,6 +17,7 @@ { "path": "../kibana_utils/tsconfig.json" }, { "path": "../kibana_react/tsconfig.json" }, { "path": "../field_formats/tsconfig.json" }, - { "path": "../unified_search/tsconfig.json" } + { "path": "../unified_search/tsconfig.json" }, + { "path": "../data_views/tsconfig.json" } ] } diff --git a/src/plugins/vis_types/gauge/public/__snapshots__/to_ast.test.ts.snap b/src/plugins/vis_types/gauge/public/__snapshots__/to_ast.test.ts.snap index 73c0ee3e38d7f..79af22ed442a7 100644 --- a/src/plugins/vis_types/gauge/public/__snapshots__/to_ast.test.ts.snap +++ b/src/plugins/vis_types/gauge/public/__snapshots__/to_ast.test.ts.snap @@ -3,35 +3,6 @@ exports[`gauge vis toExpressionAst function with minimal params 1`] = ` Object { "chain": Array [ - Object { - "arguments": Object { - "aggs": Array [], - "index": Array [ - Object { - "chain": Array [ - Object { - "arguments": Object { - "id": Array [ - "123", - ], - }, - "function": "indexPatternLoad", - "type": "function", - }, - ], - "type": "expression", - }, - ], - "metricsAtAllLevels": Array [ - false, - ], - "partialRows": Array [ - false, - ], - }, - "function": "esaggs", - "type": "function", - }, Object { "arguments": Object { "centralMajorMode": Array [ diff --git a/src/plugins/vis_types/gauge/public/to_ast.test.ts b/src/plugins/vis_types/gauge/public/to_ast.test.ts index f3b8ee90b5b55..f88743dd70b2c 100644 --- a/src/plugins/vis_types/gauge/public/to_ast.test.ts +++ b/src/plugins/vis_types/gauge/public/to_ast.test.ts @@ -34,13 +34,7 @@ describe('gauge vis toExpressionAst function', () => { }, }, }, - data: { - indexPattern: { id: '123' } as any, - aggs: { - getResponseAggs: () => [], - aggs: [], - } as any, - }, + data: {}, } as unknown as Vis; }); diff --git a/src/plugins/vis_types/gauge/public/to_ast.ts b/src/plugins/vis_types/gauge/public/to_ast.ts index 85148b713b319..697b9790468a3 100644 --- a/src/plugins/vis_types/gauge/public/to_ast.ts +++ b/src/plugins/vis_types/gauge/public/to_ast.ts @@ -14,7 +14,6 @@ import type { } from '@kbn/expression-gauge-plugin/common'; import { GaugeType, GaugeVisParams } from './types'; import { getStopsWithColorsFromRanges } from './utils'; -import { getEsaggsFn } from './to_ast_esaggs'; const prepareDimension = (params: SchemaConfig) => { const visdimension = buildExpressionFunction('visdimension', { accessor: params.accessor }); @@ -90,7 +89,7 @@ export const toExpressionAst: VisToExpressionAst = (vis, params) gauge.addArgument('palette', buildExpression([palette])); } - const ast = buildExpression([getEsaggsFn(vis), gauge]); + const ast = buildExpression([gauge]); return ast.toAst(); }; diff --git a/src/plugins/vis_types/gauge/public/to_ast_esaggs.ts b/src/plugins/vis_types/gauge/public/to_ast_esaggs.ts deleted file mode 100644 index 4b098342c6de2..0000000000000 --- a/src/plugins/vis_types/gauge/public/to_ast_esaggs.ts +++ /dev/null @@ -1,33 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { Vis } from '@kbn/visualizations-plugin/public'; -import { buildExpression, buildExpressionFunction } from '@kbn/expressions-plugin/public'; -import { - EsaggsExpressionFunctionDefinition, - IndexPatternLoadExpressionFunctionDefinition, -} from '@kbn/data-plugin/public'; - -import { GaugeVisParams } from './types'; - -/** - * Get esaggs expressions function - * @param vis - */ -export function getEsaggsFn(vis: Vis) { - return buildExpressionFunction('esaggs', { - index: buildExpression([ - buildExpressionFunction('indexPatternLoad', { - id: vis.data.indexPattern!.id!, - }), - ]), - metricsAtAllLevels: vis.isHierarchical(), - partialRows: false, - aggs: vis.data.aggs!.aggs.map((agg) => buildExpression(agg.toExpressionAst())), - }); -} diff --git a/src/plugins/vis_types/gauge/public/vis_type/gauge.tsx b/src/plugins/vis_types/gauge/public/vis_type/gauge.tsx index 3de528bfe5e6c..b6bdf93a8ea89 100644 --- a/src/plugins/vis_types/gauge/public/vis_type/gauge.tsx +++ b/src/plugins/vis_types/gauge/public/vis_type/gauge.tsx @@ -29,6 +29,7 @@ export const getGaugeVisTypeDefinition = ( defaultMessage: 'Show the status of a metric.', }), getSupportedTriggers: () => [VIS_EVENT_TO_TRIGGER.filter], + fetchDatatable: true, toExpressionAst, visConfig: { defaults: { diff --git a/src/plugins/vis_types/gauge/public/vis_type/goal.tsx b/src/plugins/vis_types/gauge/public/vis_type/goal.tsx index c953cd3e5dfe2..bcf7596094cd1 100644 --- a/src/plugins/vis_types/gauge/public/vis_type/goal.tsx +++ b/src/plugins/vis_types/gauge/public/vis_type/goal.tsx @@ -27,6 +27,7 @@ export const getGoalVisTypeDefinition = ( description: i18n.translate('visTypeGauge.goal.goalDescription', { defaultMessage: 'Track how a metric progresses to a goal.', }), + fetchDatatable: true, toExpressionAst, visConfig: { defaults: { diff --git a/src/plugins/vis_types/heatmap/public/to_ast.test.ts b/src/plugins/vis_types/heatmap/public/to_ast.test.ts index 8c7e3372df867..d1e312755cf49 100644 --- a/src/plugins/vis_types/heatmap/public/to_ast.test.ts +++ b/src/plugins/vis_types/heatmap/public/to_ast.test.ts @@ -23,10 +23,6 @@ jest.mock('@kbn/expressions-plugin/public', () => ({ })), })); -jest.mock('./to_ast_esaggs', () => ({ - getEsaggsFn: jest.fn(), -})); - describe('heatmap vis toExpressionAst function', () => { let vis: Vis; @@ -42,7 +38,7 @@ describe('heatmap vis toExpressionAst function', () => { it('should match basic snapshot', () => { toExpressionAst(vis, params); - const [, builtExpression] = (buildExpression as jest.Mock).mock.calls.pop()[0]; + const [builtExpression] = (buildExpression as jest.Mock).mock.calls.pop()[0]; expect(builtExpression).toMatchSnapshot(); }); diff --git a/src/plugins/vis_types/heatmap/public/to_ast.ts b/src/plugins/vis_types/heatmap/public/to_ast.ts index 5b52ab1feeb3a..a5a14f5412dca 100644 --- a/src/plugins/vis_types/heatmap/public/to_ast.ts +++ b/src/plugins/vis_types/heatmap/public/to_ast.ts @@ -10,7 +10,6 @@ import { VisToExpressionAst, getVisSchemas, SchemaConfig } from '@kbn/visualizat import { buildExpression, buildExpressionFunction } from '@kbn/expressions-plugin/public'; import { getStopsWithColorsFromRanges, getStopsWithColorsFromColorsNumber } from './utils/palette'; import type { HeatmapVisParams } from './types'; -import { getEsaggsFn } from './to_ast_esaggs'; const DEFAULT_PERCENT_DECIMALS = 2; @@ -127,7 +126,7 @@ export const toExpressionAst: VisToExpressionAst = async (vis, } visTypeHeatmap.addArgument('palette', buildExpression([palette])); - const ast = buildExpression([getEsaggsFn(vis), visTypeHeatmap]); + const ast = buildExpression([visTypeHeatmap]); return ast.toAst(); }; diff --git a/src/plugins/vis_types/heatmap/public/to_ast_esaggs.ts b/src/plugins/vis_types/heatmap/public/to_ast_esaggs.ts deleted file mode 100644 index 7a95c59646f45..0000000000000 --- a/src/plugins/vis_types/heatmap/public/to_ast_esaggs.ts +++ /dev/null @@ -1,33 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { Vis } from '@kbn/visualizations-plugin/public'; -import { buildExpression, buildExpressionFunction } from '@kbn/expressions-plugin/public'; -import { - EsaggsExpressionFunctionDefinition, - IndexPatternLoadExpressionFunctionDefinition, -} from '@kbn/data-plugin/public'; - -import { HeatmapVisParams } from './types'; - -/** - * Get esaggs expressions function - * @param vis - */ -export function getEsaggsFn(vis: Vis) { - return buildExpressionFunction('esaggs', { - index: buildExpression([ - buildExpressionFunction('indexPatternLoad', { - id: vis.data.indexPattern!.id!, - }), - ]), - metricsAtAllLevels: vis.isHierarchical(), - partialRows: false, - aggs: vis.data.aggs!.aggs.map((agg) => buildExpression(agg.toExpressionAst())), - }); -} diff --git a/src/plugins/vis_types/heatmap/public/vis_type/heatmap.tsx b/src/plugins/vis_types/heatmap/public/vis_type/heatmap.tsx index 6f711eb2667df..ee2893f2cb190 100644 --- a/src/plugins/vis_types/heatmap/public/vis_type/heatmap.tsx +++ b/src/plugins/vis_types/heatmap/public/vis_type/heatmap.tsx @@ -28,6 +28,7 @@ export const getHeatmapVisTypeDefinition = ({ description: i18n.translate('visTypeHeatmap.heatmap.heatmapDescription', { defaultMessage: 'Display values as colors in a matrix.', }), + fetchDatatable: true, toExpressionAst, getSupportedTriggers: () => [VIS_EVENT_TO_TRIGGER.filter], visConfig: { diff --git a/src/plugins/vis_types/metric/public/__snapshots__/to_ast.test.ts.snap b/src/plugins/vis_types/metric/public/__snapshots__/to_ast.test.ts.snap index ef6102571f324..b64b14bd09035 100644 --- a/src/plugins/vis_types/metric/public/__snapshots__/to_ast.test.ts.snap +++ b/src/plugins/vis_types/metric/public/__snapshots__/to_ast.test.ts.snap @@ -3,35 +3,6 @@ exports[`metric vis toExpressionAst function with percentage mode should have percentage format 1`] = ` Object { "chain": Array [ - Object { - "arguments": Object { - "aggs": Array [], - "index": Array [ - Object { - "chain": Array [ - Object { - "arguments": Object { - "id": Array [ - "123", - ], - }, - "function": "indexPatternLoad", - "type": "function", - }, - ], - "type": "expression", - }, - ], - "metricsAtAllLevels": Array [ - false, - ], - "partialRows": Array [ - false, - ], - }, - "function": "esaggs", - "type": "function", - }, Object { "arguments": Object { "font": Array [ @@ -96,35 +67,6 @@ Object { exports[`metric vis toExpressionAst function without params 1`] = ` Object { "chain": Array [ - Object { - "arguments": Object { - "aggs": Array [], - "index": Array [ - Object { - "chain": Array [ - Object { - "arguments": Object { - "id": Array [ - "123", - ], - }, - "function": "indexPatternLoad", - "type": "function", - }, - ], - "type": "expression", - }, - ], - "metricsAtAllLevels": Array [ - false, - ], - "partialRows": Array [ - false, - ], - }, - "function": "esaggs", - "type": "function", - }, Object { "arguments": Object { "font": Array [ diff --git a/src/plugins/vis_types/metric/public/metric_vis_type.ts b/src/plugins/vis_types/metric/public/metric_vis_type.ts index 15ec40d3bd612..30e13e8605b6d 100644 --- a/src/plugins/vis_types/metric/public/metric_vis_type.ts +++ b/src/plugins/vis_types/metric/public/metric_vis_type.ts @@ -21,6 +21,7 @@ export const createMetricVisTypeDefinition = (): VisTypeDefinition => description: i18n.translate('visTypeMetric.metricDescription', { defaultMessage: 'Show a calculation as a single number.', }), + fetchDatatable: true, toExpressionAst, visConfig: { defaults: { diff --git a/src/plugins/vis_types/metric/public/to_ast.test.ts b/src/plugins/vis_types/metric/public/to_ast.test.ts index bb9a5f0873f11..3c6ba5c532701 100644 --- a/src/plugins/vis_types/metric/public/to_ast.test.ts +++ b/src/plugins/vis_types/metric/public/to_ast.test.ts @@ -22,13 +22,7 @@ describe('metric vis toExpressionAst function', () => { params: { percentageMode: false, }, - data: { - indexPattern: { id: '123' } as any, - aggs: { - getResponseAggs: () => [], - aggs: [], - } as any, - }, + data: {}, } as unknown as Vis; }); diff --git a/src/plugins/vis_types/metric/public/to_ast.ts b/src/plugins/vis_types/metric/public/to_ast.ts index d206d046cde6a..7b771a811ba68 100644 --- a/src/plugins/vis_types/metric/public/to_ast.ts +++ b/src/plugins/vis_types/metric/public/to_ast.ts @@ -11,10 +11,6 @@ import { getVisSchemas, SchemaConfig, VisToExpressionAst } from '@kbn/visualizat import { buildExpression, buildExpressionFunction } from '@kbn/expressions-plugin/public'; import { inter } from '@kbn/expressions-plugin/common'; -import { - EsaggsExpressionFunctionDefinition, - IndexPatternLoadExpressionFunctionDefinition, -} from '@kbn/data-plugin/public'; import { VisParams } from './types'; import { getStopsWithColorsFromRanges } from './utils'; @@ -30,17 +26,6 @@ const prepareDimension = (params: SchemaConfig) => { }; export const toExpressionAst: VisToExpressionAst = (vis, params) => { - const esaggs = buildExpressionFunction('esaggs', { - index: buildExpression([ - buildExpressionFunction('indexPatternLoad', { - id: vis.data.indexPattern!.id!, - }), - ]), - metricsAtAllLevels: vis.isHierarchical(), - partialRows: false, - aggs: vis.data.aggs!.aggs.map((agg) => buildExpression(agg.toExpressionAst())), - }); - const schemas = getVisSchemas(vis, params); const { @@ -75,7 +60,7 @@ export const toExpressionAst: VisToExpressionAst = (vis, params) => { metricVis.addArgument( 'font', buildExpression( - `font family="${inter.value}" + `font family="${inter.value}" weight="bold" align="center" sizeUnit="pt" @@ -104,7 +89,7 @@ export const toExpressionAst: VisToExpressionAst = (vis, params) => { metricVis.addArgument('metric', prepareDimension(metric)); }); - const ast = buildExpression([esaggs, metricVis]); + const ast = buildExpression([metricVis]); return ast.toAst(); }; diff --git a/src/plugins/vis_types/pie/public/__snapshots__/to_ast.test.ts.snap b/src/plugins/vis_types/pie/public/__snapshots__/to_ast.test.ts.snap index 5b8bd613609f9..b9dcb3f6bff6a 100644 --- a/src/plugins/vis_types/pie/public/__snapshots__/to_ast.test.ts.snap +++ b/src/plugins/vis_types/pie/public/__snapshots__/to_ast.test.ts.snap @@ -3,35 +3,6 @@ exports[`vis type pie vis toExpressionAst function should match basic snapshot 1`] = ` Object { "chain": Array [ - Object { - "arguments": Object { - "aggs": Array [], - "index": Array [ - Object { - "chain": Array [ - Object { - "arguments": Object { - "id": Array [ - "123", - ], - }, - "function": "indexPatternLoad", - "type": "function", - }, - ], - "type": "expression", - }, - ], - "metricsAtAllLevels": Array [ - true, - ], - "partialRows": Array [ - false, - ], - }, - "function": "esaggs", - "type": "function", - }, Object { "arguments": Object { "addTooltip": Array [ diff --git a/src/plugins/vis_types/pie/public/to_ast.ts b/src/plugins/vis_types/pie/public/to_ast.ts index 7a131dbb76b9c..91ff6b0b6c17d 100644 --- a/src/plugins/vis_types/pie/public/to_ast.ts +++ b/src/plugins/vis_types/pie/public/to_ast.ts @@ -16,7 +16,6 @@ import { PartitionVisParams, LabelsParams, } from '@kbn/expression-partition-vis-plugin/common'; -import { getEsaggsFn } from './to_ast_esaggs'; const prepareDimension = (params: SchemaConfig) => { const visdimension = buildExpressionFunction('visdimension', { accessor: params.accessor }); @@ -83,7 +82,7 @@ export const toExpressionAst: VisToExpressionAst = async (vi args ); - const ast = buildExpression([getEsaggsFn(vis), visTypePie]); + const ast = buildExpression([visTypePie]); return ast.toAst(); }; diff --git a/src/plugins/vis_types/pie/public/to_ast_esaggs.ts b/src/plugins/vis_types/pie/public/to_ast_esaggs.ts deleted file mode 100644 index ed689d065d66c..0000000000000 --- a/src/plugins/vis_types/pie/public/to_ast_esaggs.ts +++ /dev/null @@ -1,32 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { Vis } from '@kbn/visualizations-plugin/public'; -import { buildExpression, buildExpressionFunction } from '@kbn/expressions-plugin/public'; -import { - EsaggsExpressionFunctionDefinition, - IndexPatternLoadExpressionFunctionDefinition, -} from '@kbn/data-plugin/public'; -import { PartitionVisParams } from '@kbn/expression-partition-vis-plugin/common'; - -/** - * Get esaggs expressions function - * @param vis - */ -export function getEsaggsFn(vis: Vis) { - return buildExpressionFunction('esaggs', { - index: buildExpression([ - buildExpressionFunction('indexPatternLoad', { - id: vis.data.indexPattern!.id!, - }), - ]), - metricsAtAllLevels: vis.isHierarchical(), - partialRows: false, - aggs: vis.data.aggs!.aggs.map((agg) => buildExpression(agg.toExpressionAst())), - }); -} diff --git a/src/plugins/vis_types/pie/public/vis_type/pie.ts b/src/plugins/vis_types/pie/public/vis_type/pie.ts index b23f1b3ac4688..113c277d5e210 100644 --- a/src/plugins/vis_types/pie/public/vis_type/pie.ts +++ b/src/plugins/vis_types/pie/public/vis_type/pie.ts @@ -33,6 +33,7 @@ export const getPieVisTypeDefinition = ({ description: i18n.translate('visTypePie.pie.pieDescription', { defaultMessage: 'Compare data in proportion to a whole.', }), + fetchDatatable: true, toExpressionAst, getSupportedTriggers: () => [VIS_EVENT_TO_TRIGGER.filter], visConfig: { diff --git a/src/plugins/vis_types/table/public/table_vis_type.ts b/src/plugins/vis_types/table/public/table_vis_type.ts index b4e7a2274852e..8bd20fb6a0c81 100644 --- a/src/plugins/vis_types/table/public/table_vis_type.ts +++ b/src/plugins/vis_types/table/public/table_vis_type.ts @@ -97,7 +97,9 @@ export const tableVisTypeDefinition: VisTypeDefinition = { }, ], }, + fetchDatatable: true, toExpressionAst, + hasPartialRows: (vis) => vis.params.showPartialRows, hierarchicalData: (vis) => vis.params.showPartialRows || vis.params.showMetricsAtAllLevels, requiresSearch: true, }; diff --git a/src/plugins/vis_types/table/public/to_ast.test.ts b/src/plugins/vis_types/table/public/to_ast.test.ts index da112d94c0c18..fc1ebf28c54c5 100644 --- a/src/plugins/vis_types/table/public/to_ast.test.ts +++ b/src/plugins/vis_types/table/public/to_ast.test.ts @@ -58,13 +58,7 @@ describe('table vis toExpressionAst function', () => { showToolbar: false, totalFunc: AggTypes.SUM, }, - data: { - indexPattern: { id: '123' }, - aggs: { - getResponseAggs: () => [], - aggs: [], - }, - }, + data: {}, } as any; }); @@ -75,53 +69,35 @@ describe('table vis toExpressionAst function', () => { it('should create table expression ast', () => { toExpressionAst(vis, {} as any); - expect((buildExpressionFunction as jest.Mock).mock.calls.length).toEqual(5); - expect((buildExpressionFunction as jest.Mock).mock.calls[0]).toEqual([ - 'indexPatternLoad', - { id: '123' }, - ]); - expect((buildExpressionFunction as jest.Mock).mock.calls[1]).toEqual([ - 'esaggs', - { - index: expect.any(Object), - metricsAtAllLevels: false, - partialRows: true, - aggs: [], - }, - ]); + expect(buildExpressionFunction).toHaveBeenCalledTimes(3); // prepare metrics dimensions - expect((buildExpressionFunction as jest.Mock).mock.calls[2]).toEqual([ - 'visdimension', - { accessor: 1 }, - ]); + expect(buildExpressionFunction).nthCalledWith(1, 'visdimension', { accessor: 1 }); // prepare buckets dimensions - expect((buildExpressionFunction as jest.Mock).mock.calls[3]).toEqual([ - 'visdimension', - { accessor: 0 }, - ]); + expect(buildExpressionFunction).nthCalledWith(2, 'visdimension', { accessor: 0 }); // prepare table expression function - expect((buildExpressionFunction as jest.Mock).mock.calls[4]).toEqual([ - 'kibana_table', - { - buckets: [mockTableExpression], - metrics: [mockTableExpression], - perPage: 20, - percentageCol: 'Count', - row: undefined, - showMetricsAtAllLevels: true, - showPartialRows: true, - showToolbar: false, - showTotal: true, - title: undefined, - totalFunc: 'sum', - }, - ]); + expect(buildExpressionFunction).nthCalledWith(3, 'kibana_table', { + buckets: [mockTableExpression], + metrics: [mockTableExpression], + perPage: 20, + percentageCol: 'Count', + row: undefined, + showMetricsAtAllLevels: true, + showPartialRows: true, + showToolbar: false, + showTotal: true, + title: undefined, + totalFunc: 'sum', + }); }); it('should filter out invalid vis params', () => { // @ts-expect-error vis.params.sort = { columnIndex: null }; toExpressionAst(vis, {} as any); - expect((buildExpressionFunction as jest.Mock).mock.calls[4][1].sort).toBeUndefined(); + expect(buildExpressionFunction).nthCalledWith( + 2, + expect.anything(), + expect.not.objectContaining({ sort: expect.anything() }) + ); }); }); diff --git a/src/plugins/vis_types/table/public/to_ast.ts b/src/plugins/vis_types/table/public/to_ast.ts index ac3799fb51cea..a0149b2ba7e6b 100644 --- a/src/plugins/vis_types/table/public/to_ast.ts +++ b/src/plugins/vis_types/table/public/to_ast.ts @@ -6,10 +6,6 @@ * Side Public License, v 1. */ -import { - EsaggsExpressionFunctionDefinition, - IndexPatternLoadExpressionFunctionDefinition, -} from '@kbn/data-plugin/public'; import { buildExpression, buildExpressionFunction } from '@kbn/expressions-plugin/public'; import { getVisSchemas, SchemaConfig, VisToExpressionAst } from '@kbn/visualizations-plugin/public'; import { TableVisParams } from '../common'; @@ -41,17 +37,6 @@ const getMetrics = (schemas: ReturnType, visParams: TableV }; export const toExpressionAst: VisToExpressionAst = (vis, params) => { - const esaggs = buildExpressionFunction('esaggs', { - index: buildExpression([ - buildExpressionFunction('indexPatternLoad', { - id: vis.data.indexPattern!.id!, - }), - ]), - metricsAtAllLevels: vis.isHierarchical(), - partialRows: vis.params.showPartialRows, - aggs: vis.data.aggs!.aggs.map((agg) => buildExpression(agg.toExpressionAst())), - }); - const schemas = getVisSchemas(vis, params); const metrics = getMetrics(schemas, vis.params); @@ -81,7 +66,7 @@ export const toExpressionAst: VisToExpressionAst = (vis, params) table.addArgument('splitRow', prepareDimension(schemas.split_row[0])); } - const ast = buildExpression([esaggs, table]); + const ast = buildExpression([table]); return ast.toAst(); }; diff --git a/src/plugins/vis_types/tagcloud/public/__snapshots__/to_ast.test.ts.snap b/src/plugins/vis_types/tagcloud/public/__snapshots__/to_ast.test.ts.snap index 3f50cdf559e19..b766feeef5307 100644 --- a/src/plugins/vis_types/tagcloud/public/__snapshots__/to_ast.test.ts.snap +++ b/src/plugins/vis_types/tagcloud/public/__snapshots__/to_ast.test.ts.snap @@ -3,35 +3,6 @@ exports[`tagcloud vis toExpressionAst function should match snapshot params fulfilled with DatatableColumn vis_dimension.accessor at metric 1`] = ` Object { "chain": Array [ - Object { - "arguments": Object { - "aggs": Array [], - "index": Array [ - Object { - "chain": Array [ - Object { - "arguments": Object { - "id": Array [ - "123", - ], - }, - "function": "indexPatternLoad", - "type": "function", - }, - ], - "type": "expression", - }, - ], - "metricsAtAllLevels": Array [ - false, - ], - "partialRows": Array [ - false, - ], - }, - "function": "esaggs", - "type": "function", - }, Object { "arguments": Object { "bucket": Array [ @@ -118,35 +89,6 @@ Object { exports[`tagcloud vis toExpressionAst function should match snapshot params fulfilled with number vis_dimension.accessor at metric 1`] = ` Object { "chain": Array [ - Object { - "arguments": Object { - "aggs": Array [], - "index": Array [ - Object { - "chain": Array [ - Object { - "arguments": Object { - "id": Array [ - "123", - ], - }, - "function": "indexPatternLoad", - "type": "function", - }, - ], - "type": "expression", - }, - ], - "metricsAtAllLevels": Array [ - false, - ], - "partialRows": Array [ - false, - ], - }, - "function": "esaggs", - "type": "function", - }, Object { "arguments": Object { "bucket": Array [ @@ -233,35 +175,6 @@ Object { exports[`tagcloud vis toExpressionAst function should match snapshot without params 1`] = ` Object { "chain": Array [ - Object { - "arguments": Object { - "aggs": Array [], - "index": Array [ - Object { - "chain": Array [ - Object { - "arguments": Object { - "id": Array [ - "123", - ], - }, - "function": "indexPatternLoad", - "type": "function", - }, - ], - "type": "expression", - }, - ], - "metricsAtAllLevels": Array [ - false, - ], - "partialRows": Array [ - false, - ], - }, - "function": "esaggs", - "type": "function", - }, Object { "arguments": Object { "bucket": Array [ diff --git a/src/plugins/vis_types/tagcloud/public/tag_cloud_type.ts b/src/plugins/vis_types/tagcloud/public/tag_cloud_type.ts index 35b7845ec515f..417ec9430333d 100644 --- a/src/plugins/vis_types/tagcloud/public/tag_cloud_type.ts +++ b/src/plugins/vis_types/tagcloud/public/tag_cloud_type.ts @@ -38,6 +38,7 @@ export const getTagCloudVisTypeDefinition = ({ palettes }: TagCloudVisDependenci }, }, }, + fetchDatatable: true, toExpressionAst, editorConfig: { enableDataViewChange: true, diff --git a/src/plugins/vis_types/tagcloud/public/to_ast.test.ts b/src/plugins/vis_types/tagcloud/public/to_ast.test.ts index 2c3fcc5799742..e6c70e36c7089 100644 --- a/src/plugins/vis_types/tagcloud/public/to_ast.test.ts +++ b/src/plugins/vis_types/tagcloud/public/to_ast.test.ts @@ -44,13 +44,7 @@ describe('tagcloud vis toExpressionAst function', () => { params: { showLabel: false, }, - data: { - indexPattern: { id: '123' }, - aggs: { - getResponseAggs: () => [], - aggs: [], - }, - }, + data: {}, } as unknown as Vis; }); diff --git a/src/plugins/vis_types/tagcloud/public/to_ast.ts b/src/plugins/vis_types/tagcloud/public/to_ast.ts index 78461475a3d3d..632a4ceb775a0 100644 --- a/src/plugins/vis_types/tagcloud/public/to_ast.ts +++ b/src/plugins/vis_types/tagcloud/public/to_ast.ts @@ -7,10 +7,6 @@ */ import type { PaletteOutput } from '@kbn/coloring'; -import { - EsaggsExpressionFunctionDefinition, - IndexPatternLoadExpressionFunctionDefinition, -} from '@kbn/data-plugin/public'; import { buildExpression, buildExpressionFunction } from '@kbn/expressions-plugin/public'; import { getVisSchemas, SchemaConfig, VisToExpressionAst } from '@kbn/visualizations-plugin/public'; import { TagCloudVisParams } from './types'; @@ -34,17 +30,6 @@ const preparePalette = (palette?: PaletteOutput) => { }; export const toExpressionAst: VisToExpressionAst = (vis, params) => { - const esaggs = buildExpressionFunction('esaggs', { - index: buildExpression([ - buildExpressionFunction('indexPatternLoad', { - id: vis.data.indexPattern!.id!, - }), - ]), - metricsAtAllLevels: vis.isHierarchical(), - partialRows: false, - aggs: vis.data.aggs!.aggs.map((agg) => buildExpression(agg.toExpressionAst())), - }); - const schemas = getVisSchemas(vis, params); const { scale, orientation, minFontSize, maxFontSize, showLabel, palette } = vis.params; @@ -62,7 +47,7 @@ export const toExpressionAst: VisToExpressionAst = (vis, para tagcloud.addArgument('bucket', prepareDimension(schemas.segment[0])); } - const ast = buildExpression([esaggs, tagcloud]); + const ast = buildExpression([tagcloud]); return ast.toAst(); }; diff --git a/src/plugins/vis_types/timeseries/public/trigger_action/get_series.test.ts b/src/plugins/vis_types/timeseries/public/trigger_action/get_series.test.ts index cfd858a345669..40fa06ba427a1 100644 --- a/src/plugins/vis_types/timeseries/public/trigger_action/get_series.test.ts +++ b/src/plugins/vis_types/timeseries/public/trigger_action/get_series.test.ts @@ -104,7 +104,7 @@ describe('getSeries', () => { fieldName: 'document', isFullReference: true, params: { - formula: 'clamp(max(day_of_week_i), 0, max(day_of_week_i))', + formula: 'pick_max(max(day_of_week_i), 0)', }, }, ]); diff --git a/src/plugins/vis_types/timeseries/public/trigger_action/metrics_helpers.ts b/src/plugins/vis_types/timeseries/public/trigger_action/metrics_helpers.ts index e3d8fa0434cbd..f6a368382b5b4 100644 --- a/src/plugins/vis_types/timeseries/public/trigger_action/metrics_helpers.ts +++ b/src/plugins/vis_types/timeseries/public/trigger_action/metrics_helpers.ts @@ -220,7 +220,10 @@ export const getSiblingPipelineSeriesFormula = ( // support nested aggs with formula const additionalSubFunction = metrics.find((metric) => metric.id === subMetricField); let formula = `${aggregationMap.name}(`; - let minMax = ''; + let minimumValue = ''; + if (currentMetric.type === 'positive_only') { + minimumValue = `, 0`; + } if (additionalSubFunction) { const additionalPipelineAggMap = SUPPORTED_METRICS[additionalSubFunction.type]; if (!additionalPipelineAggMap) { @@ -228,14 +231,9 @@ export const getSiblingPipelineSeriesFormula = ( } const additionalSubFunctionField = additionalSubFunction.type !== 'count' ? additionalSubFunction.field : ''; - if (currentMetric.type === 'positive_only') { - minMax = `, 0, ${pipelineAggMap.name}(${additionalPipelineAggMap.name}(${ - additionalSubFunctionField ?? '' - }))`; - } formula += `${pipelineAggMap.name}(${additionalPipelineAggMap.name}(${ additionalSubFunctionField ?? '' - }))${minMax})`; + }))${minimumValue})`; } else { let additionalFunctionArgs; // handle percentile and percentile_rank @@ -246,14 +244,9 @@ export const getSiblingPipelineSeriesFormula = ( if (pipelineAggMap.name === 'percentile_rank' && nestedMetaValue) { additionalFunctionArgs = `, value=${nestedMetaValue}`; } - if (currentMetric.type === 'positive_only') { - minMax = `, 0, ${pipelineAggMap.name}(${subMetricField ?? ''}${ - additionalFunctionArgs ? `${additionalFunctionArgs}` : '' - })`; - } formula += `${pipelineAggMap.name}(${subMetricField ?? ''}${ additionalFunctionArgs ? `${additionalFunctionArgs}` : '' - })${minMax})`; + })${minimumValue})`; } return formula; }; diff --git a/src/plugins/vis_types/timeseries/public/trigger_action/supported_metrics.ts b/src/plugins/vis_types/timeseries/public/trigger_action/supported_metrics.ts index 30b6f47da5f7e..29bf2008e208d 100644 --- a/src/plugins/vis_types/timeseries/public/trigger_action/supported_metrics.ts +++ b/src/plugins/vis_types/timeseries/public/trigger_action/supported_metrics.ts @@ -93,7 +93,7 @@ export const SUPPORTED_METRICS: { [key: string]: AggOptions } = { isFullReference: true, }, positive_only: { - name: 'clamp', + name: 'pick_max', isFullReference: true, }, static: { diff --git a/src/plugins/vis_types/vislib/public/to_ast.test.ts b/src/plugins/vis_types/vislib/public/to_ast.test.ts index 1628fb1812d34..a7bbf146005b4 100644 --- a/src/plugins/vis_types/vislib/public/to_ast.test.ts +++ b/src/plugins/vis_types/vislib/public/to_ast.test.ts @@ -23,10 +23,6 @@ jest.mock('@kbn/expressions-plugin/public', () => ({ })), })); -jest.mock('./to_ast_esaggs', () => ({ - getEsaggsFn: jest.fn(), -})); - describe('vislib vis toExpressionAst function', () => { let vis: Vis; @@ -42,7 +38,7 @@ describe('vislib vis toExpressionAst function', () => { it('should match basic snapshot', () => { toExpressionAst(vis, params); - const [, builtExpression] = (buildExpression as jest.Mock).mock.calls[0][0]; + const [builtExpression] = (buildExpression as jest.Mock).mock.calls[0][0]; expect(builtExpression).toMatchSnapshot(); }); diff --git a/src/plugins/vis_types/vislib/public/to_ast.ts b/src/plugins/vis_types/vislib/public/to_ast.ts index 6ef3ec72f4ab0..ceb938d5d72e1 100644 --- a/src/plugins/vis_types/vislib/public/to_ast.ts +++ b/src/plugins/vis_types/vislib/public/to_ast.ts @@ -22,7 +22,6 @@ import { BUCKET_TYPES } from '@kbn/data-plugin/public'; import { vislibVisName, VisTypeVislibExpressionFunctionDefinition } from './vis_type_vislib_vis_fn'; import { BasicVislibParams, VislibChartType } from './types'; -import { getEsaggsFn } from './to_ast_esaggs'; export const toExpressionAst = async ( vis: Vis, @@ -95,7 +94,7 @@ export const toExpressionAst = async ( } ); - const ast = buildExpression([getEsaggsFn(vis), visTypeVislib]); + const ast = buildExpression([visTypeVislib]); return ast.toAst(); }; diff --git a/src/plugins/vis_types/vislib/public/to_ast_esaggs.ts b/src/plugins/vis_types/vislib/public/to_ast_esaggs.ts deleted file mode 100644 index 6874f812c41ff..0000000000000 --- a/src/plugins/vis_types/vislib/public/to_ast_esaggs.ts +++ /dev/null @@ -1,33 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { Vis } from '@kbn/visualizations-plugin/public'; -import { buildExpression, buildExpressionFunction } from '@kbn/expressions-plugin/public'; -import { - EsaggsExpressionFunctionDefinition, - IndexPatternLoadExpressionFunctionDefinition, -} from '@kbn/data-plugin/public'; - -/** - * Get esaggs expressions function - * TODO: replace this with vis.data.aggs!.toExpressionAst(); - * https://github.com/elastic/kibana/issues/61768 - * @param vis - */ -export function getEsaggsFn(vis: Vis) { - return buildExpressionFunction('esaggs', { - index: buildExpression([ - buildExpressionFunction('indexPatternLoad', { - id: vis.data.indexPattern!.id!, - }), - ]), - metricsAtAllLevels: vis.isHierarchical(), - partialRows: false, - aggs: vis.data.aggs!.aggs.map((agg) => buildExpression(agg.toExpressionAst())), - }); -} diff --git a/src/plugins/vis_types/vislib/public/to_ast_pie.test.ts b/src/plugins/vis_types/vislib/public/to_ast_pie.test.ts index 49a44c3de4a89..9cb57c8086db1 100644 --- a/src/plugins/vis_types/vislib/public/to_ast_pie.test.ts +++ b/src/plugins/vis_types/vislib/public/to_ast_pie.test.ts @@ -23,10 +23,6 @@ jest.mock('@kbn/expressions-plugin/public', () => ({ })), })); -jest.mock('./to_ast_esaggs', () => ({ - getEsaggsFn: jest.fn(), -})); - describe('vislib pie vis toExpressionAst function', () => { let vis: Vis; @@ -42,7 +38,7 @@ describe('vislib pie vis toExpressionAst function', () => { it('should match basic snapshot', () => { toExpressionAst(vis, params); - const [, builtExpression] = (buildExpression as jest.Mock).mock.calls[0][0]; + const [builtExpression] = (buildExpression as jest.Mock).mock.calls[0][0]; expect(builtExpression).toMatchSnapshot(); }); diff --git a/src/plugins/vis_types/vislib/public/to_ast_pie.ts b/src/plugins/vis_types/vislib/public/to_ast_pie.ts index 9f7bda7740a44..3302130df0134 100644 --- a/src/plugins/vis_types/vislib/public/to_ast_pie.ts +++ b/src/plugins/vis_types/vislib/public/to_ast_pie.ts @@ -11,7 +11,6 @@ import { buildExpression, buildExpressionFunction } from '@kbn/expressions-plugi import { PieVisParams } from './pie'; import { vislibPieName, VisTypeVislibPieExpressionFunctionDefinition } from './pie_fn'; -import { getEsaggsFn } from './to_ast_esaggs'; export const toExpressionAst: VisToExpressionAst = async (vis, params) => { const schemas = getVisSchemas(vis, params); @@ -32,7 +31,7 @@ export const toExpressionAst: VisToExpressionAst = async (vis, par } ); - const ast = buildExpression([getEsaggsFn(vis), visTypePie]); + const ast = buildExpression([visTypePie]); return ast.toAst(); }; diff --git a/src/plugins/vis_types/xy/public/to_ast.test.ts b/src/plugins/vis_types/xy/public/to_ast.test.ts index ed35017d53edf..e9b597786c33e 100644 --- a/src/plugins/vis_types/xy/public/to_ast.test.ts +++ b/src/plugins/vis_types/xy/public/to_ast.test.ts @@ -23,10 +23,6 @@ jest.mock('@kbn/expressions-plugin/public', () => ({ })), })); -jest.mock('./to_ast_esaggs', () => ({ - getEsaggsFn: jest.fn(), -})); - describe('xy vis toExpressionAst function', () => { let vis: Vis; @@ -42,7 +38,7 @@ describe('xy vis toExpressionAst function', () => { it('should match basic snapshot', () => { toExpressionAst(vis, params); - const [, builtExpression] = (buildExpression as jest.Mock).mock.calls.pop()[0]; + const [builtExpression] = (buildExpression as jest.Mock).mock.calls.pop()[0]; expect(builtExpression).toMatchSnapshot(); }); diff --git a/src/plugins/vis_types/xy/public/to_ast.ts b/src/plugins/vis_types/xy/public/to_ast.ts index bf2ca297f9f38..46ff05f4426a6 100644 --- a/src/plugins/vis_types/xy/public/to_ast.ts +++ b/src/plugins/vis_types/xy/public/to_ast.ts @@ -32,7 +32,6 @@ import { } from './types'; import { visName, VisTypeXyExpressionFunctionDefinition } from './expression_functions/xy_vis_fn'; import { XyVisType } from '../common'; -import { getEsaggsFn } from './to_ast_esaggs'; import { getSeriesParams } from './utils/get_series_params'; import { getSafeId } from './utils/accessors'; @@ -238,7 +237,7 @@ export const toExpressionAst: VisToExpressionAst = async (vis, params splitColumnDimension: dimensions.splitColumn?.map(prepareXYDimension), }); - const ast = buildExpression([getEsaggsFn(vis), visTypeXy]); + const ast = buildExpression([visTypeXy]); return ast.toAst(); }; diff --git a/src/plugins/vis_types/xy/public/to_ast_esaggs.ts b/src/plugins/vis_types/xy/public/to_ast_esaggs.ts deleted file mode 100644 index 1a9079079ebda..0000000000000 --- a/src/plugins/vis_types/xy/public/to_ast_esaggs.ts +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0 and the Server Side Public License, v 1; you may not use this file except - * in compliance with, at your election, the Elastic License 2.0 or the Server - * Side Public License, v 1. - */ - -import { Vis } from '@kbn/visualizations-plugin/public'; -import { buildExpression, buildExpressionFunction } from '@kbn/expressions-plugin/public'; -import { - EsaggsExpressionFunctionDefinition, - IndexPatternLoadExpressionFunctionDefinition, -} from '@kbn/data-plugin/public'; - -import { VisParams } from './types'; - -/** - * Get esaggs expressions function - * TODO: replace this with vis.data.aggs!.toExpressionAst(); - * https://github.com/elastic/kibana/issues/61768 - * @param vis - */ -export function getEsaggsFn(vis: Vis) { - return buildExpressionFunction('esaggs', { - index: buildExpression([ - buildExpressionFunction('indexPatternLoad', { - id: vis.data.indexPattern!.id!, - }), - ]), - metricsAtAllLevels: vis.isHierarchical(), - partialRows: false, - aggs: vis.data.aggs!.aggs.map((agg) => buildExpression(agg.toExpressionAst())), - }); -} diff --git a/src/plugins/vis_types/xy/public/vis_types/area.ts b/src/plugins/vis_types/xy/public/vis_types/area.ts index 84a6a65d2753a..0ca07c8067457 100644 --- a/src/plugins/vis_types/xy/public/vis_types/area.ts +++ b/src/plugins/vis_types/xy/public/vis_types/area.ts @@ -35,6 +35,7 @@ export const areaVisTypeDefinition = { description: i18n.translate('visTypeXy.area.areaDescription', { defaultMessage: 'Emphasize the data between an axis and a line.', }), + fetchDatatable: true, toExpressionAst, getSupportedTriggers: () => [VIS_EVENT_TO_TRIGGER.filter, VIS_EVENT_TO_TRIGGER.brush], updateVisTypeOnParamsChange: getVisTypeFromParams, diff --git a/src/plugins/vis_types/xy/public/vis_types/histogram.ts b/src/plugins/vis_types/xy/public/vis_types/histogram.ts index dd1ee2836b10f..680186eb330f9 100644 --- a/src/plugins/vis_types/xy/public/vis_types/histogram.ts +++ b/src/plugins/vis_types/xy/public/vis_types/histogram.ts @@ -37,6 +37,7 @@ export const histogramVisTypeDefinition = { description: i18n.translate('visTypeXy.histogram.histogramDescription', { defaultMessage: 'Present data in vertical bars on an axis.', }), + fetchDatatable: true, toExpressionAst, getSupportedTriggers: () => [VIS_EVENT_TO_TRIGGER.filter, VIS_EVENT_TO_TRIGGER.brush], updateVisTypeOnParamsChange: getVisTypeFromParams, diff --git a/src/plugins/vis_types/xy/public/vis_types/horizontal_bar.ts b/src/plugins/vis_types/xy/public/vis_types/horizontal_bar.ts index dda1ead899faf..25fc3142e0e98 100644 --- a/src/plugins/vis_types/xy/public/vis_types/horizontal_bar.ts +++ b/src/plugins/vis_types/xy/public/vis_types/horizontal_bar.ts @@ -37,6 +37,7 @@ export const horizontalBarVisTypeDefinition = { description: i18n.translate('visTypeXy.horizontalBar.horizontalBarDescription', { defaultMessage: 'Present data in horizontal bars on an axis.', }), + fetchDatatable: true, toExpressionAst, getSupportedTriggers: () => [VIS_EVENT_TO_TRIGGER.filter, VIS_EVENT_TO_TRIGGER.brush], updateVisTypeOnParamsChange: getVisTypeFromParams, diff --git a/src/plugins/vis_types/xy/public/vis_types/line.ts b/src/plugins/vis_types/xy/public/vis_types/line.ts index a4ad14d7f5442..e0c7e081573f3 100644 --- a/src/plugins/vis_types/xy/public/vis_types/line.ts +++ b/src/plugins/vis_types/xy/public/vis_types/line.ts @@ -35,6 +35,7 @@ export const lineVisTypeDefinition = { description: i18n.translate('visTypeXy.line.lineDescription', { defaultMessage: 'Display data as a series of points.', }), + fetchDatatable: true, toExpressionAst, getSupportedTriggers: () => [VIS_EVENT_TO_TRIGGER.filter, VIS_EVENT_TO_TRIGGER.brush], updateVisTypeOnParamsChange: getVisTypeFromParams, diff --git a/src/plugins/visualizations/public/embeddable/to_ast.ts b/src/plugins/visualizations/public/embeddable/to_ast.ts index dc4e931781f7b..80e7217f8d1c1 100644 --- a/src/plugins/visualizations/public/embeddable/to_ast.ts +++ b/src/plugins/visualizations/public/embeddable/to_ast.ts @@ -6,10 +6,9 @@ * Side Public License, v 1. */ -import { ExpressionFunctionKibana, ExpressionFunctionKibanaContext } from '@kbn/data-plugin/public'; -import { buildExpression, buildExpressionFunction } from '@kbn/expressions-plugin/public'; +import { ExpressionFunctionKibana } from '@kbn/data-plugin/public'; +import { ExpressionAstExpression, buildExpressionFunction } from '@kbn/expressions-plugin/public'; -import { queryToAst, filtersToAst } from '@kbn/data-plugin/common'; import { VisToExpressionAst } from '../types'; /** @@ -19,31 +18,38 @@ import { VisToExpressionAst } from '../types'; * * @internal */ -export const toExpressionAst: VisToExpressionAst = async (vis, params) => { - const { savedSearchId, searchSource } = vis.data; - const query = searchSource?.getField('query'); - let filters = searchSource?.getField('filter'); - if (typeof filters === 'function') { - filters = filters(); +export const toExpressionAst: VisToExpressionAst = async ( + vis, + params +): Promise => { + if (!vis.type.toExpressionAst) { + throw new Error('Visualization type definition should have toExpressionAst function defined'); } - const kibana = buildExpressionFunction('kibana', {}); - const kibanaContext = buildExpressionFunction('kibana_context', { - q: query && queryToAst(query), - filters: filters && filtersToAst(filters), - savedSearchId, - }); - - const ast = buildExpression([kibana, kibanaContext]); - const expression = ast.toAst(); + const searchSource = vis.data.searchSource?.createCopy(); - if (!vis.type.toExpressionAst) { - throw new Error('Visualization type definition should have toExpressionAst function defined'); + if (vis.data.aggs) { + vis.data.aggs.hierarchical = vis.isHierarchical(); + vis.data.aggs.partialRows = + typeof vis.type.hasPartialRows === 'function' + ? vis.type.hasPartialRows(vis) + : vis.type.hasPartialRows; + searchSource?.setField('aggs', vis.data.aggs); } const visExpressionAst = await vis.type.toExpressionAst(vis, params); - // expand the expression chain with a particular visualization expression chain, if it exists - expression.chain.push(...visExpressionAst.chain); + const searchSourceExpressionAst = searchSource?.toExpressionAst({ + asDatatable: vis.type.fetchDatatable, + }); + + const expression = { + ...visExpressionAst, + chain: [ + buildExpressionFunction('kibana', {}).toAst(), + ...(searchSourceExpressionAst?.chain ?? []), + ...visExpressionAst.chain, + ], + }; return expression; }; diff --git a/src/plugins/visualizations/public/vis.scss b/src/plugins/visualizations/public/vis.scss index 42b59b8de93cd..42ffab11a1eda 100644 --- a/src/plugins/visualizations/public/vis.scss +++ b/src/plugins/visualizations/public/vis.scss @@ -8,7 +8,6 @@ // SASSTODO: Too risky to change to BEM naming .visualization { display: flex; - flex-direction: column; width: 100%; height: 100%; overflow: auto; diff --git a/src/plugins/visualizations/public/vis_types/base_vis_type.ts b/src/plugins/visualizations/public/vis_types/base_vis_type.ts index 5b1e2afc91dfd..18dcacadcaeab 100644 --- a/src/plugins/visualizations/public/vis_types/base_vis_type.ts +++ b/src/plugins/visualizations/public/vis_types/base_vis_type.ts @@ -40,10 +40,12 @@ export class BaseVisType { public readonly editorConfig; public hidden; public readonly requiresSearch; + public readonly hasPartialRows; public readonly hierarchicalData; public readonly setup; public readonly getUsedIndexPattern; public readonly inspectorAdapters; + public readonly fetchDatatable: boolean; public readonly toExpressionAst; public readonly getInfoMessage; public readonly updateVisTypeOnParamsChange; @@ -72,9 +74,11 @@ export class BaseVisType { this.hidden = opts.hidden ?? false; this.requiresSearch = opts.requiresSearch ?? false; this.setup = opts.setup; + this.hasPartialRows = opts.hasPartialRows ?? false; this.hierarchicalData = opts.hierarchicalData ?? false; this.getUsedIndexPattern = opts.getUsedIndexPattern; this.inspectorAdapters = opts.inspectorAdapters; + this.fetchDatatable = opts.fetchDatatable ?? false; this.toExpressionAst = opts.toExpressionAst; this.getInfoMessage = opts.getInfoMessage; this.updateVisTypeOnParamsChange = opts.updateVisTypeOnParamsChange; diff --git a/src/plugins/visualizations/public/vis_types/types.ts b/src/plugins/visualizations/public/vis_types/types.ts index 73b3f96ab2ea7..8f6dc309a7145 100644 --- a/src/plugins/visualizations/public/vis_types/types.ts +++ b/src/plugins/visualizations/public/vis_types/types.ts @@ -216,6 +216,10 @@ export interface VisTypeDefinition { * with the selection of a search source - an index pattern or a saved search. */ readonly requiresSearch?: boolean; + /** + * In case when the visualization performs an aggregation, this option will be used to display or hide the rows with partial data. + */ + readonly hasPartialRows?: boolean | ((vis: { params: TVisParams }) => boolean); readonly hierarchicalData?: boolean | ((vis: { params: TVisParams }) => boolean); readonly inspectorAdapters?: Adapters | (() => Adapters); /** @@ -225,6 +229,12 @@ export interface VisTypeDefinition { * of this type. */ readonly getInfoMessage?: (vis: Vis) => React.ReactNode; + + /** + * When truthy, it will perform a search and pass the results to the visualization as a `datatable`. + * @default false + */ + readonly fetchDatatable?: boolean; /** * Should be provided to expand base visualization expression with * custom exprsesion chain, including render expression. diff --git a/test/api_integration/apis/index_patterns/constants.ts b/test/api_integration/apis/index_patterns/constants.ts index 8194966bcdcb8..eaec583f72d59 100644 --- a/test/api_integration/apis/index_patterns/constants.ts +++ b/test/api_integration/apis/index_patterns/constants.ts @@ -22,7 +22,7 @@ const legacyConfig = { serviceKey: SERVICE_KEY_LEGACY, }; -const dataViewConfig = { +export const dataViewConfig = { name: 'data view api', path: DATA_VIEW_PATH, basePath: SERVICE_PATH, diff --git a/test/api_integration/apis/index_patterns/index_pattern_crud/get_data_views/index.ts b/test/api_integration/apis/index_patterns/index_pattern_crud/get_data_views/index.ts new file mode 100644 index 0000000000000..60c5ae1dc0935 --- /dev/null +++ b/test/api_integration/apis/index_patterns/index_pattern_crud/get_data_views/index.ts @@ -0,0 +1,15 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { FtrProviderContext } from '../../../../ftr_provider_context'; + +export default function ({ loadTestFile }: FtrProviderContext) { + describe('get_data_views', () => { + loadTestFile(require.resolve('./main')); + }); +} diff --git a/test/api_integration/apis/index_patterns/index_pattern_crud/get_data_views/main.ts b/test/api_integration/apis/index_patterns/index_pattern_crud/get_data_views/main.ts new file mode 100644 index 0000000000000..cce2da6cd89f9 --- /dev/null +++ b/test/api_integration/apis/index_patterns/index_pattern_crud/get_data_views/main.ts @@ -0,0 +1,26 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import expect from '@kbn/expect'; +import { FtrProviderContext } from '../../../../ftr_provider_context'; +import { dataViewConfig } from '../../constants'; + +export default function ({ getService }: FtrProviderContext) { + const supertest = getService('supertest'); + + describe('main', () => { + describe('get data views api', () => { + it('returns list of data views', async () => { + const response = await supertest.get(dataViewConfig.basePath); + expect(response.status).to.be(200); + expect(response.body).to.have.property(dataViewConfig.serviceKey); + expect(response.body[dataViewConfig.serviceKey]).to.be.an('array'); + }); + }); + }); +} diff --git a/test/api_integration/apis/index_patterns/index_pattern_crud/index.ts b/test/api_integration/apis/index_patterns/index_pattern_crud/index.ts index 81d605d217b54..158fe3087bcbe 100644 --- a/test/api_integration/apis/index_patterns/index_pattern_crud/index.ts +++ b/test/api_integration/apis/index_patterns/index_pattern_crud/index.ts @@ -14,5 +14,6 @@ export default function ({ loadTestFile }: FtrProviderContext) { loadTestFile(require.resolve('./get_index_pattern')); loadTestFile(require.resolve('./delete_index_pattern')); loadTestFile(require.resolve('./update_index_pattern')); + loadTestFile(require.resolve('./get_data_views')); }); } diff --git a/test/functional/apps/discover/_discover.ts b/test/functional/apps/discover/_discover.ts index 88df8f7798ba8..498c35f0c74fb 100644 --- a/test/functional/apps/discover/_discover.ts +++ b/test/functional/apps/discover/_discover.ts @@ -25,8 +25,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { defaultIndex: 'logstash-*', }; - // FLAKY: https://github.com/elastic/kibana/issues/130694 - describe.skip('discover test', function describeIndexTests() { + describe('discover test', function describeIndexTests() { before(async function () { log.debug('load kibana index with default index pattern'); await kibanaServer.importExport.load('test/functional/fixtures/kbn_archiver/discover'); @@ -84,7 +83,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { it('should show correct time range string in chart', async function () { const actualTimeString = await PageObjects.discover.getChartTimespan(); - const expectedTimeString = `${PageObjects.timePicker.defaultStartTime} - ${PageObjects.timePicker.defaultEndTime}`; + const expectedTimeString = `${PageObjects.timePicker.defaultStartTime} - ${PageObjects.timePicker.defaultEndTime} (interval: Auto - 3 hours)`; expect(actualTimeString).to.be(expectedTimeString); }); @@ -96,8 +95,8 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { expect(time.start).to.be('Sep 21, 2015 @ 12:00:00.000'); expect(time.end).to.be('Sep 21, 2015 @ 15:00:00.000'); await retry.waitForWithTimeout( - 'doc table to contain the right search result', - 1000, + 'table to contain the right search result', + 3000, async () => { const rowData = await PageObjects.discover.getDocTableField(1); log.debug(`The first timestamp value in doc table: ${rowData}`); diff --git a/test/functional/page_objects/discover_page.ts b/test/functional/page_objects/discover_page.ts index ba5c11a35c273..f16f0396cf091 100644 --- a/test/functional/page_objects/discover_page.ts +++ b/test/functional/page_objects/discover_page.ts @@ -284,8 +284,10 @@ export class DiscoverPageObject extends FtrService { ); return await fields[usedCellIdx].getVisibleText(); } + await this.testSubjects.click('dataGridFullScreenButton'); const row = await this.dataGrid.getRow({ rowIndex: index - 1 }); - const result = await Promise.all(row.map(async (cell) => await cell.getVisibleText())); + const result = await Promise.all(row.map(async (cell) => (await cell.getVisibleText()).trim())); + await this.testSubjects.click('dataGridFullScreenButton'); return result[usedCellIdx]; } diff --git a/test/package/Vagrantfile b/test/package/Vagrantfile index 2a7e465531333..1dec55a8e1302 100644 --- a/test/package/Vagrantfile +++ b/test/package/Vagrantfile @@ -6,7 +6,7 @@ Vagrant.configure("2") do |config| vb.memory = 2048 end deb.vm.box = 'elastic/debian-9-x86_64' - deb.vm.provision "ansible" do |ansible| + deb.vm.provision "ansible_local" do |ansible| ansible.playbook = "deb.yml" end deb.vm.network "private_network", ip: "192.168.56.5" @@ -17,7 +17,7 @@ Vagrant.configure("2") do |config| vb.memory = 2048 end rpm.vm.box = 'elastic/centos-7-x86_64' - rpm.vm.provision "ansible" do |ansible| + rpm.vm.provision "ansible_local" do |ansible| ansible.playbook = "rpm.yml" end rpm.vm.network "private_network", ip: "192.168.56.6" @@ -28,7 +28,7 @@ Vagrant.configure("2") do |config| vb.memory = 2048 end docker.vm.box = 'elastic/ubuntu-18.04-x86_64' - docker.vm.provision "ansible" do |ansible| + docker.vm.provision "ansible_local" do |ansible| ansible.playbook = "docker.yml" end docker.vm.network "private_network", ip: "192.168.56.7" diff --git a/test/plugin_functional/plugins/data_search/server/plugin.ts b/test/plugin_functional/plugins/data_search/server/plugin.ts index 5258211c544bb..b6e0208544995 100644 --- a/test/plugin_functional/plugins/data_search/server/plugin.ts +++ b/test/plugin_functional/plugins/data_search/server/plugin.ts @@ -55,7 +55,7 @@ export class DataSearchTestPlugin // Since the index pattern ID can change on each test run, we need // to look it up on the fly and insert it into the request. - const indexPatterns = await data.indexPatterns.indexPatternsServiceFactory( + const indexPatterns = await data.indexPatterns.dataViewsServiceFactory( savedObjectsClient, clusterClient, req diff --git a/test/plugin_functional/plugins/index_patterns/server/plugin.ts b/test/plugin_functional/plugins/index_patterns/server/plugin.ts index 5e6836de2a986..111fbaec0e2f8 100644 --- a/test/plugin_functional/plugins/index_patterns/server/plugin.ts +++ b/test/plugin_functional/plugins/index_patterns/server/plugin.ts @@ -36,7 +36,7 @@ export class IndexPatternsTestPlugin async (context, req, res) => { const [{ savedObjects, elasticsearch }, { data }] = await core.getStartServices(); const savedObjectsClient = savedObjects.getScopedClient(req); - const service = await data.indexPatterns.indexPatternsServiceFactory( + const service = await data.indexPatterns.dataViewsServiceFactory( savedObjectsClient, elasticsearch.client.asScoped(req).asCurrentUser, req @@ -51,7 +51,7 @@ export class IndexPatternsTestPlugin async (context, req, res) => { const [{ savedObjects, elasticsearch }, { data }] = await core.getStartServices(); const savedObjectsClient = savedObjects.getScopedClient(req); - const service = await data.indexPatterns.indexPatternsServiceFactory( + const service = await data.indexPatterns.dataViewsServiceFactory( savedObjectsClient, elasticsearch.client.asScoped(req).asCurrentUser, req @@ -74,7 +74,7 @@ export class IndexPatternsTestPlugin const id = (req.params as Record).id; const [{ savedObjects, elasticsearch }, { data }] = await core.getStartServices(); const savedObjectsClient = savedObjects.getScopedClient(req); - const service = await data.indexPatterns.indexPatternsServiceFactory( + const service = await data.indexPatterns.dataViewsServiceFactory( savedObjectsClient, elasticsearch.client.asScoped(req).asCurrentUser, req @@ -97,7 +97,7 @@ export class IndexPatternsTestPlugin const [{ savedObjects, elasticsearch }, { data }] = await core.getStartServices(); const id = (req.params as Record).id; const savedObjectsClient = savedObjects.getScopedClient(req); - const service = await data.indexPatterns.indexPatternsServiceFactory( + const service = await data.indexPatterns.dataViewsServiceFactory( savedObjectsClient, elasticsearch.client.asScoped(req).asCurrentUser, req @@ -121,7 +121,7 @@ export class IndexPatternsTestPlugin const [{ savedObjects, elasticsearch }, { data }] = await core.getStartServices(); const id = (req.params as Record).id; const savedObjectsClient = savedObjects.getScopedClient(req); - const service = await data.indexPatterns.indexPatternsServiceFactory( + const service = await data.indexPatterns.dataViewsServiceFactory( savedObjectsClient, elasticsearch.client.asScoped(req).asCurrentUser, req diff --git a/test/scripts/jenkins_ux_synthetics.sh b/test/scripts/jenkins_ux_synthetics.sh new file mode 100755 index 0000000000000..0f5cfb729bcd1 --- /dev/null +++ b/test/scripts/jenkins_ux_synthetics.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env bash + +source test/scripts/jenkins_test_setup_xpack.sh + +echo " -> Running User Experience plugin @elastic/synthetics tests" +cd "$XPACK_DIR" + +checks-reporter-with-killswitch "User Experience plugin @elastic/synthetics Tests" \ + node plugins/ux/scripts/e2e.js + +echo "" +echo "" diff --git a/tsconfig.base.json b/tsconfig.base.json index a593145c4093d..f263f7f9bced9 100644 --- a/tsconfig.base.json +++ b/tsconfig.base.json @@ -337,6 +337,8 @@ "@kbn/infra-plugin/*": ["x-pack/plugins/infra/*"], "@kbn/ingest-pipelines-plugin": ["x-pack/plugins/ingest_pipelines"], "@kbn/ingest-pipelines-plugin/*": ["x-pack/plugins/ingest_pipelines/*"], + "@kbn/kubernetes-security-plugin": ["x-pack/plugins/kubernetes_security"], + "@kbn/kubernetes-security-plugin/*": ["x-pack/plugins/kubernetes_security/*"], "@kbn/lens-plugin": ["x-pack/plugins/lens"], "@kbn/lens-plugin/*": ["x-pack/plugins/lens/*"], "@kbn/license-api-guard-plugin": ["x-pack/plugins/license_api_guard"], diff --git a/vars/tasks.groovy b/vars/tasks.groovy index e0da1df30cdf9..ee440c9c11731 100644 --- a/vars/tasks.groovy +++ b/vars/tasks.groovy @@ -165,6 +165,15 @@ def functionalXpack(Map params = [:]) { } } + whenChanged([ + 'x-pack/plugins/ux/', + ]) { + if (githubPr.isPr()) { + task(kibanaPipeline.functionalTestProcess('xpack-uxPluginSynthetics', './test/scripts/jenkins_ux_synthetics.sh')) + } + } + + whenChanged([ 'x-pack/plugins/fleet/', ]) { diff --git a/x-pack/.i18nrc.json b/x-pack/.i18nrc.json index 738c5242813be..3533ef314cacf 100644 --- a/x-pack/.i18nrc.json +++ b/x-pack/.i18nrc.json @@ -29,6 +29,7 @@ "xpack.infra": "plugins/infra", "xpack.fleet": "plugins/fleet", "xpack.ingestPipelines": "plugins/ingest_pipelines", + "xpack.kubernetesSecurity": "plugins/kubernetes_security", "xpack.lens": "plugins/lens", "xpack.licenseApiGuard": "plugins/license_api_guard", "xpack.licenseMgmt": "plugins/license_management", diff --git a/x-pack/examples/exploratory_view_example/public/app.tsx b/x-pack/examples/exploratory_view_example/public/app.tsx index 35ace0b045a38..1acba86bad3eb 100644 --- a/x-pack/examples/exploratory_view_example/public/app.tsx +++ b/x-pack/examples/exploratory_view_example/public/app.tsx @@ -18,7 +18,7 @@ import { EuiPageHeaderSection, EuiTitle, } from '@elastic/eui'; -import { IndexPattern } from '@kbn/data-plugin/public'; +import type { DataView } from '@kbn/data-views-plugin/public'; import { CoreStart } from '@kbn/core/public'; import { AllSeries } from '@kbn/observability-plugin/public'; import { StartDependencies } from './plugin'; @@ -26,7 +26,7 @@ import { StartDependencies } from './plugin'; export const App = (props: { core: CoreStart; plugins: StartDependencies; - defaultIndexPattern: IndexPattern | null; + defaultIndexPattern: DataView | null; }) => { const ExploratoryViewComponent = props.plugins.observability.ExploratoryViewEmbeddable; diff --git a/x-pack/plugins/apm/dev_docs/local_setup.md b/x-pack/plugins/apm/dev_docs/local_setup.md index 499ab70d38559..42aaf686dac5b 100644 --- a/x-pack/plugins/apm/dev_docs/local_setup.md +++ b/x-pack/plugins/apm/dev_docs/local_setup.md @@ -30,8 +30,7 @@ yarn start **Run Synthtrace** ``` -node packages/elastic-apm-synthtrace/src/scripts/run packages/elastic-apm-synthtrace/src/scripts/examples/01_simple_trace.ts \ - --local +node scripts/synthtrace simple_trace.ts --local ``` The `--local` flag is a shortcut to specifying `--target` and `--kibana`. It autodiscovers the current kibana basepath and installs the appropiate APM package. @@ -56,9 +55,7 @@ Use the [oblt-cli](https://github.com/elastic/observability-test-environments/bl If you want to bootstrap some data on a cloud instance you can also use the following ``` -node packages/elastic-apm-synthtrace/src/scripts/run packages/elastic-apm-synthtrace/src/scripts/examples/01_simple_trace.ts \ - --cloudId "myname:" \ - --maxDocs 100000 +node scripts/synthtrace simple_trace.ts --cloudId "myname:" --maxDocs 100000 ``` ## 3. Local ES Cluster diff --git a/x-pack/plugins/apm/public/components/shared/charts/timeline/timeline_axis.tsx b/x-pack/plugins/apm/public/components/shared/charts/timeline/timeline_axis.tsx index 31d5be127214e..e9c2bdfc485e7 100644 --- a/x-pack/plugins/apm/public/components/shared/charts/timeline/timeline_axis.tsx +++ b/x-pack/plugins/apm/public/components/shared/charts/timeline/timeline_axis.tsx @@ -88,14 +88,14 @@ export function TimelineAxis({ {topTraceDuration > 0 && ( )} {marks.map((mark) => ( - + ))} diff --git a/x-pack/plugins/apm/public/components/shared/kuery_bar/index.tsx b/x-pack/plugins/apm/public/components/shared/kuery_bar/index.tsx index 753d3b6460ea3..7a335964d5ccc 100644 --- a/x-pack/plugins/apm/public/components/shared/kuery_bar/index.tsx +++ b/x-pack/plugins/apm/public/components/shared/kuery_bar/index.tsx @@ -11,8 +11,8 @@ import { uniqueId } from 'lodash'; import React, { useState } from 'react'; import { useHistory, useLocation } from 'react-router-dom'; import { QuerySuggestion } from '@kbn/unified-search-plugin/public'; -import { DataView } from '@kbn/data-plugin/common'; import { esKuery } from '@kbn/data-plugin/public'; +import type { DataView } from '@kbn/data-views-plugin/public'; import { useApmPluginContext } from '../../../context/apm_plugin/use_apm_plugin_context'; import { useLegacyUrlParams } from '../../../context/url_params_context/use_url_params'; import { useApmParams } from '../../../hooks/use_apm_params'; @@ -106,7 +106,7 @@ export function KueryBar(props: { const suggestions = ( (await unifiedSearch.autocomplete.getQuerySuggestions({ language: 'kuery', - indexPatterns: [dataView], + indexPatterns: [dataView as DataView], boolFilter: props.boolFilter ?? getBoolFilter({ diff --git a/x-pack/plugins/apm/scripts/test/api.js b/x-pack/plugins/apm/scripts/test/api.js index a4f467f3fea91..27b0704dbee55 100644 --- a/x-pack/plugins/apm/scripts/test/api.js +++ b/x-pack/plugins/apm/scripts/test/api.js @@ -82,7 +82,7 @@ if (server) { const cmd = [ 'node', ...(inspect ? ['--inspect-brk'] : []), - `../../../../scripts/${ftrScript}`, + `../../../../../scripts/${ftrScript}`, ...(grep ? [`--grep "${grep}"`] : []), ...(updateSnapshots ? [`--updateSnapshots`] : []), `--config ../../../../test/apm_api_integration/${license}/config.ts`, diff --git a/x-pack/plugins/apm/server/routes/rum_client/route.ts b/x-pack/plugins/apm/server/routes/rum_client/route.ts index dfcb821b09c6a..8807d16afbb66 100644 --- a/x-pack/plugins/apm/server/routes/rum_client/route.ts +++ b/x-pack/plugins/apm/server/routes/rum_client/route.ts @@ -14,7 +14,6 @@ import { getLongTaskMetrics } from './get_long_task_metrics'; import { getPageLoadDistribution } from './get_page_load_distribution'; import { getPageViewTrends } from './get_page_view_trends'; import { getPageLoadDistBreakdown } from './get_pl_dist_breakdown'; -import { getUrlSearch } from './get_url_search'; import { getVisitorBreakdown } from './get_visitor_breakdown'; import { getWebCoreVitals } from './get_web_core_vitals'; import { hasRumData } from './has_rum_data'; @@ -280,34 +279,6 @@ const rumLongTaskMetrics = createApmServerRoute({ }, }); -const rumUrlSearch = createApmServerRoute({ - endpoint: 'GET /internal/apm/ux/url-search', - params: t.type({ - query: uxQueryRt, - }), - options: { tags: ['access:apm'] }, - handler: async ( - resources - ): Promise<{ - total: number; - items: Array<{ url: string; count: number; pld: number }>; - }> => { - const setup = await setupUXRequest(resources); - - const { - query: { urlQuery, percentile, start, end }, - } = resources.params; - - return getUrlSearch({ - setup, - urlQuery, - percentile: Number(percentile), - start, - end, - }); - }, -}); - const rumJSErrors = createApmServerRoute({ endpoint: 'GET /internal/apm/ux/js-errors', params: t.type({ @@ -412,7 +383,6 @@ export const rumRouteRepository = { ...rumVisitorsBreakdownRoute, ...rumWebCoreVitals, ...rumLongTaskMetrics, - ...rumUrlSearch, ...rumJSErrors, ...rumHasDataRoute, }; diff --git a/x-pack/plugins/canvas/public/lib/es_service.ts b/x-pack/plugins/canvas/public/lib/es_service.ts index 7b86716aef7e5..9d558243c9421 100644 --- a/x-pack/plugins/canvas/public/lib/es_service.ts +++ b/x-pack/plugins/canvas/public/lib/es_service.ts @@ -6,7 +6,6 @@ */ // TODO - clint: convert to service abstraction -import { IndexPatternAttributes } from '@kbn/data-plugin/public'; import { API_ROUTE } from '../../common/lib/constants'; import { fetch } from '../../common/lib/fetch'; @@ -49,7 +48,7 @@ export const getFields = (index = '_all') => { export const getIndices = () => getSavedObjectsClient() - .find({ + .find<{ title: string }>({ type: 'index-pattern', fields: ['title'], searchFields: ['title'], @@ -70,7 +69,7 @@ export const getDefaultIndex = () => { return defaultIndexId ? getSavedObjectsClient() - .get('index-pattern', defaultIndexId) + .get<{ title: string }>('index-pattern', defaultIndexId) .then((defaultIndex) => defaultIndex.attributes.title) .catch((err) => { const notifyService = pluginServices.getServices().notify; diff --git a/x-pack/plugins/cases/README.md b/x-pack/plugins/cases/README.md index 908428673c30d..98eb504ff7094 100644 --- a/x-pack/plugins/cases/README.md +++ b/x-pack/plugins/cases/README.md @@ -16,17 +16,12 @@ This plugin provides cases management in Kibana ## Table of Contents - [Cases API](#cases-api) -- [Cases Client API](#cases-client-api) - [Cases UI](#cases-ui) ## Cases API [**Explore the API docs »**](https://www.elastic.co/guide/en/security/current/cases-api-overview.html) -## Cases Client API - -[**Cases Client API docs**][cases-client-api-docs] - ## Cases UI ### Embed Cases UI components in any Kibana plugin @@ -133,9 +128,79 @@ An array of: | id | The ID of the case | string | | title | The title of the case | string | -### ui +#### `find` -#### `getCases` +Retrieves a paginated subset of cases. + +Arguments + +| Property | Description | Type | +| -------- | ---------------------- | --------------------- | +| query | The request parameters | object | +| signal | The abort signal | Optional, AbortSignal | + +`query` + +| Property | Description | Type | +| --------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------ | +| defaultSearchOperator | The default operator to use for the `simple_query_string`. Defaults to `OR`. | Optional, string | +| fields | The fields in the entity to return in the response. | Optional, array of strings | +| from | Returns only cases that were created after a specific date. The date must be specified as a KQL data range or date match expression. | Optional, string | +| owner | A filter to limit the retrieved cases to a specific set of applications. Valid values are: `cases`, `observability`, and `securitySolution`. If this parameter is omitted, the response contains all cases that the user has access to read. | +| page | The page number to return. Defaults to `1` . | Optional, integer | +| perPage | The number of rules to return per page. Defaults to `20` . | Optional, integer | +| reporters | Filters the returned cases by the reporter's `username. | Optional, string or array of strings | +| search | `simple_query_string` query that filters the objects in the response. | Optional, string | +| searchFields | The fields to perform the `simple_query_string` parsed query against. | Optional, string or array of strings | +| severity | The severity of the case. Valid values are: `critical`, `high`, `low`, and `medium`. | Optional, string | +| sortField | Determines which field is used to sort the results,`createdAt` or `updatedAt`. Defaults to `createdAt`. | Optional, string | +| sortOrder | Determines the sort order, which can be `desc` or `asc`. Defaults to `desc`. | Optional, string | +| status | Filters the returned cases by state, which can be `open`, `in-progress`, or `closed`. | Optional, string | +| tags | Filters the returned cases by tags. | Optional, string or array of strings | +| to | Returns only cases that were created before a specific date. The date must be specified as a KQL data range or date match expression. | Optional, string | + +#### `getCasesStatus` + +Returns the number of cases that are open, closed, and in progress. + +Arguments + +| Property | Description | Type | +| -------- | ---------------------- | --------------------- | +| query | The request parameters | object | +| signal | The abort signal | Optional, AbortSignal | + +`query` + +| Property | Description | Type | +| -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +| from | Returns only cases that were created after a specific date. The date must be specified as a KQL data range or date match expression. | Optional, string | +| owner | A filter to limit the retrieved cases to a specific set of applications. Valid values are: `cases`, `observability`, and `securitySolution`. If this parameter is omitted, the response contains all cases that the user has access to read. | +| to | Returns only cases that were created before a specific date. The date must be specified as a KQL data range or date match expression. | Optional, string | + + +#### `getCasesMetrics` + +Returns the number of cases that are open, closed, and in progress. + +Arguments + +| Property | Description | Type | +| -------- | ---------------------- | --------------------- | +| query | The request parameters | object | +| signal | The abort signal | Optional, AbortSignal | + +`query` + +| Property | Description | Type | +| -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | +| features | The metrics to retrieve. | Optional, array of strings | +| from | Returns only cases that were created after a specific date. The date must be specified as a KQL data range or date match expression. | Optional, string | +| owner | A filter to limit the retrieved cases to a specific set of applications. Valid values are: `cases`, `observability`, and `securitySolution`. If this parameter is omitted, the response contains all cases that the user has access to read. | +| to | Returns only cases that were created before a specific date. The date must be specified as a KQL data range or date match expression. | Optional, string | + + +### ui Arguments: @@ -160,6 +225,7 @@ Arguments: | timelineIntegration?.hooks.useInsertTimeline | `(value: string, onChange: (newValue: string) => void): UseInsertTimelineReturn` | | timelineIntegration?.ui?.renderInvestigateInTimelineActionComponent? | `(alertIds: string[]) => JSX.Element;` space to render `InvestigateInTimelineActionComponent` | | timelineIntegration?.ui?renderTimelineDetailsPanel? | `() => JSX.Element;` space to render `TimelineDetailsPanel` | +#### `getCases` UI component: ![All Cases Component][all-cases-img] @@ -284,4 +350,3 @@ Arguments: [all-cases-modal-img]: images/all_cases_selector_modal.png [recent-cases-img]: images/recent_cases.png [case-view-img]: images/case_view.png -[cases-client-api-docs]: docs/cases_client/README.md diff --git a/x-pack/plugins/cases/common/ui/types.ts b/x-pack/plugins/cases/common/ui/types.ts index 5443302bce467..e44f674b19080 100644 --- a/x-pack/plugins/cases/common/ui/types.ts +++ b/x-pack/plugins/cases/common/ui/types.ts @@ -155,8 +155,6 @@ export type UpdateKey = keyof Pick< export interface UpdateByKey { updateKey: UpdateKey; updateValue: CasePatchRequest[UpdateKey]; - fetchCaseUserActions?: (caseId: string, caseConnectorId: string) => void; - updateCase?: (newCase: Case) => void; caseData: Case; onSuccess?: () => void; onError?: () => void; diff --git a/x-pack/plugins/cases/docs/openapi/bundled.json b/x-pack/plugins/cases/docs/openapi/bundled.json index d673f470de740..100aec3566d44 100644 --- a/x-pack/plugins/cases/docs/openapi/bundled.json +++ b/x-pack/plugins/cases/docs/openapi/bundled.json @@ -120,25 +120,28 @@ "type": "string" } }, - "required": [ - "fields", - "id", - "name", - "type" - ] + "example": null }, "id": { "description": "The identifier for the connector. To create a case without a connector, use `none`.", - "type": "string" + "type": "string", + "example": "none" }, "name": { "description": "The name of the connector. To create a case without a connector, use `none`.", - "type": "string" + "type": "string", + "example": "none" }, "type": { "$ref": "#/components/schemas/connector_types" } - } + }, + "required": [ + "fields", + "id", + "name", + "type" + ] }, "description": { "description": "The description for the case.", @@ -158,7 +161,7 @@ } }, "severity": { - "$ref": "#/components/schemas/severity" + "$ref": "#/components/schemas/severity_property" }, "tags": { "description": "The words and phrases that help categorize cases. It can be an empty array.", @@ -298,20 +301,17 @@ "type": "string" } }, - "required": [ - "fields", - "id", - "name", - "type" - ] + "example": null }, "id": { "description": "The identifier for the connector. To create a case without a connector, use `none`.", - "type": "string" + "type": "string", + "example": "none" }, "name": { "description": "The name of the connector. To create a case without a connector, use `none`.", - "type": "string" + "type": "string", + "example": "none" }, "type": { "$ref": "#/components/schemas/connector_types" @@ -328,15 +328,15 @@ "properties": { "email": { "type": "string", - "example": "ahunley@imf.usa.gov" + "example": null }, "full_name": { "type": "string", - "example": "Alan Hunley" + "example": null }, "username": { "type": "string", - "example": "ahunley" + "example": "elastic" } } }, @@ -406,7 +406,7 @@ } }, "severity": { - "$ref": "#/components/schemas/severity" + "$ref": "#/components/schemas/severity_property" }, "status": { "$ref": "#/components/schemas/status" @@ -604,25 +604,28 @@ "type": "string" } }, - "required": [ - "fields", - "id", - "name", - "type" - ] + "example": null }, "id": { "description": "The identifier for the connector. To create a case without a connector, use `none`.", - "type": "string" + "type": "string", + "example": "none" }, "name": { "description": "The name of the connector. To create a case without a connector, use `none`.", - "type": "string" + "type": "string", + "example": "none" }, "type": { "$ref": "#/components/schemas/connector_types" } - } + }, + "required": [ + "fields", + "id", + "name", + "type" + ] }, "description": { "description": "The description for the case.", @@ -643,7 +646,7 @@ } }, "severity": { - "$ref": "#/components/schemas/severity" + "$ref": "#/components/schemas/severity_property" }, "status": { "$ref": "#/components/schemas/status" @@ -789,20 +792,17 @@ "type": "string" } }, - "required": [ - "fields", - "id", - "name", - "type" - ] + "example": null }, "id": { "description": "The identifier for the connector. To create a case without a connector, use `none`.", - "type": "string" + "type": "string", + "example": "none" }, "name": { "description": "The name of the connector. To create a case without a connector, use `none`.", - "type": "string" + "type": "string", + "example": "none" }, "type": { "$ref": "#/components/schemas/connector_types" @@ -819,15 +819,15 @@ "properties": { "email": { "type": "string", - "example": "ahunley@imf.usa.gov" + "example": null }, "full_name": { "type": "string", - "example": "Alan Hunley" + "example": null }, "username": { "type": "string", - "example": "ahunley" + "example": "elastic" } } }, @@ -897,7 +897,7 @@ } }, "severity": { - "$ref": "#/components/schemas/severity" + "$ref": "#/components/schemas/severity_property" }, "status": { "$ref": "#/components/schemas/status" @@ -974,446 +974,761 @@ } ] }, - "/s/{spaceId}/api/cases": { - "post": { - "description": "Creates a case. You must have all privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're creating.\n", + "/api/cases/_find": { + "get": { + "description": "Retrieves a paginated subset of cases. You must have read privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking.\n", "tags": [ "cases", "kibana" ], "parameters": [ { - "$ref": "#/components/parameters/kbn_xsrf" + "name": "defaultSearchOperator", + "in": "query", + "description": "The default operator to use for the simple_query_string.", + "schema": { + "type": "string", + "default": "OR" + }, + "example": "OR" }, { - "$ref": "#/components/parameters/space_id" + "name": "fields", + "in": "query", + "description": "The fields in the entity to return in the response.", + "schema": { + "type": "array", + "items": { + "type": "string" + } + } + }, + { + "name": "from", + "in": "query", + "description": "[preview] Returns only cases that were created after a specific date. The date must be specified as a KQL data range or date match expression. This functionality is in technical preview and may be changed or removed in a future release. Elastic will apply best effort to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.\n", + "schema": { + "type": "string" + }, + "example": "now-1d", + "x-technical-preview": true + }, + { + "$ref": "#/components/parameters/owner" + }, + { + "name": "page", + "in": "query", + "description": "The page number to return.", + "schema": { + "type": "integer", + "default": 1 + }, + "example": 1 + }, + { + "name": "perPage", + "in": "query", + "description": "The number of rules to return per page.", + "schema": { + "type": "integer", + "default": 20 + }, + "example": 20 + }, + { + "name": "reporters", + "in": "query", + "description": "Filters the returned cases by the user name of the reporter.", + "schema": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "array", + "items": { + "type": "string" + } + } + ] + }, + "example": "elastic" + }, + { + "name": "search", + "in": "query", + "description": "An Elasticsearch simple_query_string query that filters the objects in the response.", + "schema": { + "type": "string" + } + }, + { + "name": "searchFields", + "in": "query", + "description": "The fields to perform the simple_query_string parsed query against.", + "schema": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "array", + "items": { + "type": "string" + } + } + ] + } + }, + { + "$ref": "#/components/parameters/severity" + }, + { + "name": "sortField", + "in": "query", + "description": "Determines which field is used to sort the results.", + "schema": { + "type": "string", + "enum": [ + "createdAt", + "updatedAt" + ], + "default": "createdAt" + }, + "example": "updatedAt" + }, + { + "name": "sortOrder", + "in": "query", + "description": "Determines the sort order.", + "schema": { + "type": "string", + "enum": [ + "asc", + "desc" + ], + "default": "desc" + }, + "example": "asc" + }, + { + "in": "query", + "name": "status", + "description": "Filters the returned cases by state.", + "schema": { + "type": "string", + "enum": [ + "closed", + "in-progress", + "open" + ] + }, + "example": "open" + }, + { + "name": "tags", + "in": "query", + "description": "Filters the returned cases by tags.", + "schema": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "array", + "items": { + "type": "string" + } + } + ] + }, + "example": "phishing" + }, + { + "name": "to", + "in": "query", + "description": "Returns only cases that were created before a specific date. The date must be specified as a KQL data range or date match expression.", + "schema": { + "type": "string" + }, + "example": "now%2B1d", + "x-technical-preview": true } ], - "requestBody": { - "content": { - "application/json": { - "schema": { - "type": "object", - "properties": { - "connector": { - "description": "An object that contains the connector configuration.", - "type": "object", - "properties": { - "fields": { - "description": "An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.", - "nullable": true, + "responses": { + "200": { + "description": "Indicates a successful call.", + "content": { + "application/json; charset=utf-8": { + "schema": { + "type": "object", + "properties": { + "cases": { + "type": "array", + "items": { "type": "object", "properties": { - "caseId": { - "description": "The case identifier for Swimlane connectors.", - "type": "string" + "closed_at": { + "type": "string", + "format": "date-time", + "nullable": true, + "example": null }, - "category": { - "description": "The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.", - "type": "string" + "closed_by": { + "type": "object", + "properties": { + "email": { + "type": "string" + }, + "full_name": { + "type": "string" + }, + "username": { + "type": "string" + } + }, + "nullable": true, + "example": null }, - "destIp": { - "description": "A comma-separated list of destination IPs for ServiceNow SecOps connectors.", - "type": "string" + "comments": { + "type": "array", + "items": { + "type": "string" + }, + "example": [] }, - "impact": { - "description": "The effect an incident had on business for ServiceNow ITSM connectors.", - "type": "string" + "connector": { + "type": "object", + "properties": { + "fields": { + "description": "An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.", + "nullable": true, + "type": "object", + "properties": { + "caseId": { + "description": "The case identifier for Swimlane connectors.", + "type": "string" + }, + "category": { + "description": "The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.", + "type": "string" + }, + "destIp": { + "description": "A comma-separated list of destination IPs for ServiceNow SecOps connectors.", + "type": "string" + }, + "impact": { + "description": "The effect an incident had on business for ServiceNow ITSM connectors.", + "type": "string" + }, + "issueType": { + "description": "The type of issue for Jira connectors.", + "type": "string" + }, + "issueTypes": { + "description": "The type of incident for IBM Resilient connectors.", + "type": "array", + "items": { + "type": "number" + } + }, + "malwareHash": { + "description": "A comma-separated list of malware hashes for ServiceNow SecOps connectors.", + "type": "string" + }, + "malwareUrl": { + "description": "A comma-separated list of malware URLs for ServiceNow SecOps connectors.", + "type": "string" + }, + "parent": { + "description": "The key of the parent issue, when the issue type is sub-task for Jira connectors.", + "type": "string" + }, + "priority": { + "description": "The priority of the issue for Jira and ServiceNow SecOps connectors.", + "type": "string" + }, + "severity": { + "description": "The severity of the incident for ServiceNow ITSM connectors.", + "type": "string" + }, + "severityCode": { + "description": "The severity code of the incident for IBM Resilient connectors.", + "type": "number" + }, + "sourceIp": { + "description": "A comma-separated list of source IPs for ServiceNow SecOps connectors.", + "type": "string" + }, + "subcategory": { + "description": "The subcategory of the incident for ServiceNow ITSM connectors.", + "type": "string" + }, + "urgency": { + "description": "The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.", + "type": "string" + } + }, + "example": null + }, + "id": { + "description": "The identifier for the connector. To create a case without a connector, use `none`.", + "type": "string", + "example": "none" + }, + "name": { + "description": "The name of the connector. To create a case without a connector, use `none`.", + "type": "string", + "example": "none" + }, + "type": { + "$ref": "#/components/schemas/connector_types" + } + } }, - "issueType": { - "description": "The type of issue for Jira connectors.", - "type": "string" + "created_at": { + "type": "string", + "format": "date-time", + "example": "2022-05-13T09:16:17.416Z" }, - "issueTypes": { - "description": "The type of incident for IBM Resilient connectors.", - "type": "array", - "items": { - "type": "number" + "created_by": { + "type": "object", + "properties": { + "email": { + "type": "string", + "example": null + }, + "full_name": { + "type": "string", + "example": null + }, + "username": { + "type": "string", + "example": "elastic" + } } }, - "malwareHash": { - "description": "A comma-separated list of malware hashes for ServiceNow SecOps connectors.", - "type": "string" + "description": { + "type": "string", + "example": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active. Repeat - operation bubblegum is now active" }, - "malwareUrl": { - "description": "A comma-separated list of malware URLs for ServiceNow SecOps connectors.", - "type": "string" + "duration": { + "type": "integer", + "description": "The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null.", + "example": 120 }, - "parent": { - "description": "The key of the parent issue, when the issue type is sub-task for Jira connectors.", - "type": "string" + "external_service": { + "type": "object", + "properties": { + "connector_id": { + "type": "string" + }, + "connector_name": { + "type": "string" + }, + "external_id": { + "type": "string" + }, + "external_title": { + "type": "string" + }, + "external_url": { + "type": "string" + }, + "pushed_at": { + "type": "string", + "format": "date-time" + }, + "pushed_by": { + "type": "object", + "properties": { + "email": { + "type": "string" + }, + "full_name": { + "type": "string" + }, + "username": { + "type": "string" + } + }, + "nullable": true, + "example": null + } + } }, - "priority": { - "description": "The priority of the issue for Jira and ServiceNow SecOps connectors.", - "type": "string" + "id": { + "type": "string", + "example": "66b9aa00-94fa-11ea-9f74-e7e108796192" + }, + "owner": { + "$ref": "#/components/schemas/owners" + }, + "settings": { + "type": "object", + "properties": { + "syncAlerts": { + "type": "boolean", + "example": true + } + } }, "severity": { - "description": "The severity of the incident for ServiceNow ITSM connectors.", - "type": "string" + "$ref": "#/components/schemas/severity_property" }, - "severityCode": { - "description": "The severity code of the incident for IBM Resilient connectors.", - "type": "number" + "status": { + "$ref": "#/components/schemas/status" }, - "sourceIp": { - "description": "A comma-separated list of source IPs for ServiceNow SecOps connectors.", - "type": "string" + "tags": { + "type": "array", + "items": { + "type": "string" + }, + "example": [ + "phishing", + "social engineering", + "bubblegum" + ] }, - "subcategory": { - "description": "The subcategory of the incident for ServiceNow ITSM connectors.", - "type": "string" + "title": { + "type": "string", + "example": "This case will self-destruct in 5 seconds" }, - "urgency": { - "description": "The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.", - "type": "string" + "totalAlerts": { + "type": "integer", + "example": 0 + }, + "totalComment": { + "type": "integer", + "example": 0 + }, + "updated_at": { + "type": "string", + "format": "date-time", + "nullable": true, + "example": null + }, + "updated_by": { + "type": "object", + "properties": { + "email": { + "type": "string" + }, + "full_name": { + "type": "string" + }, + "username": { + "type": "string" + } + }, + "nullable": true, + "example": null + }, + "version": { + "type": "string", + "example": "WzUzMiwxXQ==" } - }, - "required": [ - "fields", - "id", - "name", - "type" - ] - }, - "id": { - "description": "The identifier for the connector. To create a case without a connector, use `none`.", - "type": "string" - }, - "name": { - "description": "The name of the connector. To create a case without a connector, use `none`.", - "type": "string" - }, - "type": { - "$ref": "#/components/schemas/connector_types" + } } - } - }, - "description": { - "description": "The description for the case.", - "type": "string" - }, - "owner": { - "$ref": "#/components/schemas/owners" - }, - "settings": { - "description": "An object that contains the case settings.", + }, + "count_closed_cases": { + "type": "integer" + }, + "count_in_progress_cases": { + "type": "integer" + }, + "count_open_cases": { + "type": "integer" + }, + "page": { + "type": "integer" + }, + "per_page": { + "type": "integer" + }, + "total": { + "type": "integer" + } + } + }, + "examples": { + "findCaseResponse": { + "$ref": "#/components/examples/find_case_response" + } + } + } + } + } + }, + "servers": [ + { + "url": "https://localhost:5601" + } + ] + }, + "servers": [ + { + "url": "https://localhost:5601" + } + ] + }, + "/api/cases/alerts/{alertId}": { + "get": { + "description": "Returns the cases associated with a specific alert. You must have read privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking.\n", + "x-technical-preview": true, + "tags": [ + "cases", + "kibana" + ], + "parameters": [ + { + "$ref": "#/components/parameters/alert_id" + }, + { + "$ref": "#/components/parameters/owner" + } + ], + "responses": { + "200": { + "description": "Indicates a successful call.", + "content": { + "application/json; charset=utf-8": { + "schema": { + "type": "array", + "items": { "type": "object", "properties": { - "syncAlerts": { - "description": "Turns alert syncing on or off.", - "type": "boolean" + "id": { + "type": "string", + "description": "The case identifier." + }, + "title": { + "type": "string", + "description": "The case title." } } }, - "severity": { - "$ref": "#/components/schemas/severity" - }, - "tags": { - "description": "The words and phrases that help categorize cases. It can be an empty array.", - "type": "array", - "items": { - "type": "string" + "example": [ + { + "id": "06116b80-e1c3-11ec-be9b-9b1838238ee6", + "title": "security_case" } - }, - "title": { - "description": "A title for the case.", - "type": "string" - } - }, - "required": [ - "connector", - "description", - "owner", - "settings", - "tags", - "title" - ] - }, - "examples": { - "createCaseRequest": { - "$ref": "#/components/examples/create_case_request" + ] } } } } }, + "servers": [ + { + "url": "https://localhost:5601" + } + ] + }, + "servers": [ + { + "url": "https://localhost:5601" + } + ] + }, + "/api/cases/configure": { + "get": { + "description": "Retrieves external connection details, such as the closure type and default connector for cases. You must have read privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case configuration.\n", + "tags": [ + "cases", + "kibana" + ], + "parameters": [ + { + "$ref": "#/components/parameters/owner" + } + ], "responses": { "200": { "description": "Indicates a successful call.", "content": { "application/json; charset=utf-8": { "schema": { - "type": "object", - "properties": { - "closed_at": { - "type": "string", - "format": "date-time", - "nullable": true, - "example": null - }, - "closed_by": { - "type": "object", - "properties": { - "email": { - "type": "string" - }, - "full_name": { - "type": "string" - }, - "username": { - "type": "string" + "type": "array", + "items": { + "type": "object", + "properties": { + "closure_type": { + "$ref": "#/components/schemas/closure_types" + }, + "connector": { + "type": "object", + "properties": { + "fields": { + "description": "An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.", + "nullable": true, + "type": "object", + "properties": { + "caseId": { + "description": "The case identifier for Swimlane connectors.", + "type": "string" + }, + "category": { + "description": "The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.", + "type": "string" + }, + "destIp": { + "description": "A comma-separated list of destination IPs for ServiceNow SecOps connectors.", + "type": "string" + }, + "impact": { + "description": "The effect an incident had on business for ServiceNow ITSM connectors.", + "type": "string" + }, + "issueType": { + "description": "The type of issue for Jira connectors.", + "type": "string" + }, + "issueTypes": { + "description": "The type of incident for IBM Resilient connectors.", + "type": "array", + "items": { + "type": "number" + } + }, + "malwareHash": { + "description": "A comma-separated list of malware hashes for ServiceNow SecOps connectors.", + "type": "string" + }, + "malwareUrl": { + "description": "A comma-separated list of malware URLs for ServiceNow SecOps connectors.", + "type": "string" + }, + "parent": { + "description": "The key of the parent issue, when the issue type is sub-task for Jira connectors.", + "type": "string" + }, + "priority": { + "description": "The priority of the issue for Jira and ServiceNow SecOps connectors.", + "type": "string" + }, + "severity": { + "description": "The severity of the incident for ServiceNow ITSM connectors.", + "type": "string" + }, + "severityCode": { + "description": "The severity code of the incident for IBM Resilient connectors.", + "type": "number" + }, + "sourceIp": { + "description": "A comma-separated list of source IPs for ServiceNow SecOps connectors.", + "type": "string" + }, + "subcategory": { + "description": "The subcategory of the incident for ServiceNow ITSM connectors.", + "type": "string" + }, + "urgency": { + "description": "The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.", + "type": "string" + } + }, + "example": null + }, + "id": { + "description": "The identifier for the connector. To create a case without a connector, use `none`.", + "type": "string", + "example": "none" + }, + "name": { + "description": "The name of the connector. To create a case without a connector, use `none`.", + "type": "string", + "example": "none" + }, + "type": { + "$ref": "#/components/schemas/connector_types" + } } }, - "nullable": true, - "example": null - }, - "comments": { - "type": "array", - "items": { - "type": "string" + "created_at": { + "type": "string", + "format": "date-time", + "example": "2022-06-01T17:07:17.767Z" }, - "example": [] - }, - "connector": { - "type": "object", - "properties": { - "fields": { - "description": "An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.", - "nullable": true, + "created_by": { + "type": "object", + "properties": { + "email": { + "type": "string", + "example": null + }, + "full_name": { + "type": "string", + "example": null + }, + "username": { + "type": "string", + "example": "elastic" + } + } + }, + "error": { + "type": "string", + "example": null + }, + "id": { + "type": "string", + "example": "4a97a440-e1cd-11ec-be9b-9b1838238ee6" + }, + "mappings": { + "type": "array", + "items": { "type": "object", "properties": { - "caseId": { - "description": "The case identifier for Swimlane connectors.", - "type": "string" - }, - "category": { - "description": "The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.", - "type": "string" - }, - "destIp": { - "description": "A comma-separated list of destination IPs for ServiceNow SecOps connectors.", - "type": "string" - }, - "impact": { - "description": "The effect an incident had on business for ServiceNow ITSM connectors.", - "type": "string" - }, - "issueType": { - "description": "The type of issue for Jira connectors.", - "type": "string" - }, - "issueTypes": { - "description": "The type of incident for IBM Resilient connectors.", - "type": "array", - "items": { - "type": "number" - } - }, - "malwareHash": { - "description": "A comma-separated list of malware hashes for ServiceNow SecOps connectors.", - "type": "string" - }, - "malwareUrl": { - "description": "A comma-separated list of malware URLs for ServiceNow SecOps connectors.", - "type": "string" - }, - "parent": { - "description": "The key of the parent issue, when the issue type is sub-task for Jira connectors.", - "type": "string" - }, - "priority": { - "description": "The priority of the issue for Jira and ServiceNow SecOps connectors.", - "type": "string" - }, - "severity": { - "description": "The severity of the incident for ServiceNow ITSM connectors.", - "type": "string" - }, - "severityCode": { - "description": "The severity code of the incident for IBM Resilient connectors.", - "type": "number" - }, - "sourceIp": { - "description": "A comma-separated list of source IPs for ServiceNow SecOps connectors.", - "type": "string" + "action_type": { + "type": "string", + "example": "overwrite" }, - "subcategory": { - "description": "The subcategory of the incident for ServiceNow ITSM connectors.", - "type": "string" + "source": { + "type": "string", + "example": "title" }, - "urgency": { - "description": "The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.", - "type": "string" + "target": { + "type": "string", + "example": "summary" } + } + } + }, + "owner": { + "$ref": "#/components/schemas/owners" + }, + "updated_at": { + "type": "string", + "format": "date-time", + "nullable": true, + "example": "2022-06-01T19:58:48.169Z" + }, + "updated_by": { + "type": "object", + "properties": { + "email": { + "type": "string", + "example": null }, - "required": [ - "fields", - "id", - "name", - "type" - ] - }, - "id": { - "description": "The identifier for the connector. To create a case without a connector, use `none`.", - "type": "string" + "full_name": { + "type": "string", + "example": null + }, + "username": { + "type": "string", + "example": "elastic" + } }, - "name": { - "description": "The name of the connector. To create a case without a connector, use `none`.", - "type": "string" - }, - "type": { - "$ref": "#/components/schemas/connector_types" - } - } - }, - "created_at": { - "type": "string", - "format": "date-time", - "example": "2022-05-13T09:16:17.416Z" - }, - "created_by": { - "type": "object", - "properties": { - "email": { - "type": "string", - "example": "ahunley@imf.usa.gov" - }, - "full_name": { - "type": "string", - "example": "Alan Hunley" - }, - "username": { - "type": "string", - "example": "ahunley" - } - } - }, - "description": { - "type": "string", - "example": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active. Repeat - operation bubblegum is now active" - }, - "duration": { - "type": "integer", - "description": "The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null.", - "example": 120 - }, - "external_service": { - "type": "object", - "properties": { - "connector_id": { - "type": "string" - }, - "connector_name": { - "type": "string" - }, - "external_id": { - "type": "string" - }, - "external_title": { - "type": "string" - }, - "external_url": { - "type": "string" - }, - "pushed_at": { - "type": "string", - "format": "date-time" - }, - "pushed_by": { - "type": "object", - "properties": { - "email": { - "type": "string" - }, - "full_name": { - "type": "string" - }, - "username": { - "type": "string" - } - }, - "nullable": true, - "example": null - } - } - }, - "id": { - "type": "string", - "example": "66b9aa00-94fa-11ea-9f74-e7e108796192" - }, - "owner": { - "$ref": "#/components/schemas/owners" - }, - "settings": { - "type": "object", - "properties": { - "syncAlerts": { - "type": "boolean", - "example": true - } - } - }, - "severity": { - "$ref": "#/components/schemas/severity" - }, - "status": { - "$ref": "#/components/schemas/status" - }, - "tags": { - "type": "array", - "items": { - "type": "string" - }, - "example": [ - "phishing", - "social engineering", - "bubblegum" - ] - }, - "title": { - "type": "string", - "example": "This case will self-destruct in 5 seconds" - }, - "totalAlerts": { - "type": "integer", - "example": 0 - }, - "totalComment": { - "type": "integer", - "example": 0 - }, - "updated_at": { - "type": "string", - "format": "date-time", - "nullable": true, - "example": null - }, - "updated_by": { - "type": "object", - "properties": { - "email": { - "type": "string" - }, - "full_name": { - "type": "string" - }, - "username": { - "type": "string" - } + "nullable": true }, - "nullable": true, - "example": null - }, - "version": { - "type": "string", - "example": "WzUzMiwxXQ==" + "version": { + "type": "string", + "example": "WzIwNzMsMV0=" + } } } - }, - "examples": { - "createCaseResponse": { - "$ref": "#/components/examples/create_case_response" - } } } } @@ -1425,43 +1740,8 @@ } ] }, - "delete": { - "description": "Deletes one or more cases. You must have all privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're deleting.\n", - "tags": [ - "cases", - "kibana" - ], - "parameters": [ - { - "$ref": "#/components/parameters/kbn_xsrf" - }, - { - "$ref": "#/components/parameters/space_id" - }, - { - "name": "ids", - "description": "The cases that you want to removed. All non-ASCII characters must be URL encoded.", - "in": "query", - "required": true, - "schema": { - "type": "string" - }, - "example": "d4e7abb0-b462-11ec-9a8d-698504725a43" - } - ], - "responses": { - "204": { - "description": "Indicates a successful call." - } - }, - "servers": [ - { - "url": "https://localhost:5601" - } - ] - }, - "patch": { - "description": "Updates one or more cases. You must have all privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're updating.\n", + "post": { + "description": "Sets external connection details, such as the closure type and default connector for cases. You must have all privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case configuration. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. Refer to the add connectors API. If you set a default connector, it is automatically selected when you create cases in Kibana. If you use the create case API, however, you must still specify all of the connector details.\n", "tags": [ "cases", "kibana" @@ -1469,9 +1749,6 @@ "parameters": [ { "$ref": "#/components/parameters/kbn_xsrf" - }, - { - "$ref": "#/components/parameters/space_id" } ], "requestBody": { @@ -1480,156 +1757,128 @@ "schema": { "type": "object", "properties": { - "cases": { - "type": "array", - "items": { - "type": "object", - "properties": { - "connector": { - "description": "An object that contains the connector configuration.", - "type": "object", - "properties": { - "fields": { - "description": "An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.", - "nullable": true, - "type": "object", - "properties": { - "caseId": { - "description": "The case identifier for Swimlane connectors.", - "type": "string" - }, - "category": { - "description": "The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.", - "type": "string" - }, - "destIp": { - "description": "A comma-separated list of destination IPs for ServiceNow SecOps connectors.", - "type": "string" - }, - "impact": { - "description": "The effect an incident had on business for ServiceNow ITSM connectors.", - "type": "string" - }, - "issueType": { - "description": "The type of issue for Jira connectors.", - "type": "string" - }, - "issueTypes": { - "description": "The type of incident for IBM Resilient connectors.", - "type": "array", - "items": { - "type": "number" - } - }, - "malwareHash": { - "description": "A comma-separated list of malware hashes for ServiceNow SecOps connectors.", - "type": "string" - }, - "malwareUrl": { - "description": "A comma-separated list of malware URLs for ServiceNow SecOps connectors.", - "type": "string" - }, - "parent": { - "description": "The key of the parent issue, when the issue type is sub-task for Jira connectors.", - "type": "string" - }, - "priority": { - "description": "The priority of the issue for Jira and ServiceNow SecOps connectors.", - "type": "string" - }, - "severity": { - "description": "The severity of the incident for ServiceNow ITSM connectors.", - "type": "string" - }, - "severityCode": { - "description": "The severity code of the incident for IBM Resilient connectors.", - "type": "number" - }, - "sourceIp": { - "description": "A comma-separated list of source IPs for ServiceNow SecOps connectors.", - "type": "string" - }, - "subcategory": { - "description": "The subcategory of the incident for ServiceNow ITSM connectors.", - "type": "string" - }, - "urgency": { - "description": "The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.", - "type": "string" - } - }, - "required": [ - "fields", - "id", - "name", - "type" - ] - }, - "id": { - "description": "The identifier for the connector. To create a case without a connector, use `none`.", - "type": "string" - }, - "name": { - "description": "The name of the connector. To create a case without a connector, use `none`.", - "type": "string" - }, - "type": { - "$ref": "#/components/schemas/connector_types" - } - } - }, - "description": { - "description": "The description for the case.", - "type": "string" - }, - "id": { - "description": "The identifier for the case.", - "type": "string" - }, - "settings": { - "description": "An object that contains the case settings.", - "type": "object", - "properties": { - "syncAlerts": { - "description": "Turns alert syncing on or off.", - "type": "boolean" + "closure_type": { + "$ref": "#/components/schemas/closure_types" + }, + "connector": { + "description": "An object that contains the connector configuration.", + "type": "object", + "properties": { + "fields": { + "description": "An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.", + "nullable": true, + "type": "object", + "properties": { + "caseId": { + "description": "The case identifier for Swimlane connectors.", + "type": "string" + }, + "category": { + "description": "The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.", + "type": "string" + }, + "destIp": { + "description": "A comma-separated list of destination IPs for ServiceNow SecOps connectors.", + "type": "string" + }, + "impact": { + "description": "The effect an incident had on business for ServiceNow ITSM connectors.", + "type": "string" + }, + "issueType": { + "description": "The type of issue for Jira connectors.", + "type": "string" + }, + "issueTypes": { + "description": "The type of incident for IBM Resilient connectors.", + "type": "array", + "items": { + "type": "number" } - } - }, - "severity": { - "$ref": "#/components/schemas/severity" - }, - "status": { - "$ref": "#/components/schemas/status" - }, - "tags": { - "description": "The words and phrases that help categorize cases.", - "type": "array", - "items": { + }, + "malwareHash": { + "description": "A comma-separated list of malware hashes for ServiceNow SecOps connectors.", + "type": "string" + }, + "malwareUrl": { + "description": "A comma-separated list of malware URLs for ServiceNow SecOps connectors.", + "type": "string" + }, + "parent": { + "description": "The key of the parent issue, when the issue type is sub-task for Jira connectors.", + "type": "string" + }, + "priority": { + "description": "The priority of the issue for Jira and ServiceNow SecOps connectors.", + "type": "string" + }, + "severity": { + "description": "The severity of the incident for ServiceNow ITSM connectors.", + "type": "string" + }, + "severityCode": { + "description": "The severity code of the incident for IBM Resilient connectors.", + "type": "number" + }, + "sourceIp": { + "description": "A comma-separated list of source IPs for ServiceNow SecOps connectors.", + "type": "string" + }, + "subcategory": { + "description": "The subcategory of the incident for ServiceNow ITSM connectors.", + "type": "string" + }, + "urgency": { + "description": "The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.", "type": "string" } }, - "title": { - "description": "A title for the case.", - "type": "string" - }, - "version": { - "description": "The current version of the case.", - "type": "string" - } + "example": null }, - "required": [ - "id", - "version" - ] - } + "id": { + "description": "The identifier for the connector. To create a case without a connector, use `none`.", + "type": "string", + "example": "none" + }, + "name": { + "description": "The name of the connector. To create a case without a connector, use `none`.", + "type": "string", + "example": "none" + }, + "type": { + "$ref": "#/components/schemas/connector_types" + } + }, + "required": [ + "fields", + "id", + "name", + "type" + ] + }, + "owner": { + "$ref": "#/components/schemas/owners" + }, + "settings": { + "description": "An object that contains the case settings.", + "type": "object", + "properties": { + "syncAlerts": { + "description": "Turns alert syncing on or off.", + "type": "boolean", + "example": true + } + }, + "required": [ + "syncAlerts" + ] } - } - }, - "examples": { - "updateCaseRequest": { - "$ref": "#/components/examples/update_case_request" - } + }, + "required": [ + "closure_type", + "connector", + "owner" + ] } } } @@ -1640,277 +1889,2933 @@ "content": { "application/json; charset=utf-8": { "schema": { - "type": "object", - "properties": { - "closed_at": { - "type": "string", - "format": "date-time", - "nullable": true, - "example": null - }, - "closed_by": { - "type": "object", - "properties": { - "email": { - "type": "string" - }, - "full_name": { - "type": "string" - }, - "username": { - "type": "string" + "type": "array", + "items": { + "type": "object", + "properties": { + "closure_type": { + "$ref": "#/components/schemas/closure_types" + }, + "connector": { + "type": "object", + "properties": { + "fields": { + "description": "An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.", + "nullable": true, + "type": "object", + "properties": { + "caseId": { + "description": "The case identifier for Swimlane connectors.", + "type": "string" + }, + "category": { + "description": "The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.", + "type": "string" + }, + "destIp": { + "description": "A comma-separated list of destination IPs for ServiceNow SecOps connectors.", + "type": "string" + }, + "impact": { + "description": "The effect an incident had on business for ServiceNow ITSM connectors.", + "type": "string" + }, + "issueType": { + "description": "The type of issue for Jira connectors.", + "type": "string" + }, + "issueTypes": { + "description": "The type of incident for IBM Resilient connectors.", + "type": "array", + "items": { + "type": "number" + } + }, + "malwareHash": { + "description": "A comma-separated list of malware hashes for ServiceNow SecOps connectors.", + "type": "string" + }, + "malwareUrl": { + "description": "A comma-separated list of malware URLs for ServiceNow SecOps connectors.", + "type": "string" + }, + "parent": { + "description": "The key of the parent issue, when the issue type is sub-task for Jira connectors.", + "type": "string" + }, + "priority": { + "description": "The priority of the issue for Jira and ServiceNow SecOps connectors.", + "type": "string" + }, + "severity": { + "description": "The severity of the incident for ServiceNow ITSM connectors.", + "type": "string" + }, + "severityCode": { + "description": "The severity code of the incident for IBM Resilient connectors.", + "type": "number" + }, + "sourceIp": { + "description": "A comma-separated list of source IPs for ServiceNow SecOps connectors.", + "type": "string" + }, + "subcategory": { + "description": "The subcategory of the incident for ServiceNow ITSM connectors.", + "type": "string" + }, + "urgency": { + "description": "The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.", + "type": "string" + } + }, + "example": null + }, + "id": { + "description": "The identifier for the connector. To create a case without a connector, use `none`.", + "type": "string", + "example": "none" + }, + "name": { + "description": "The name of the connector. To create a case without a connector, use `none`.", + "type": "string", + "example": "none" + }, + "type": { + "$ref": "#/components/schemas/connector_types" + } } }, - "nullable": true, - "example": null - }, - "comments": { - "type": "array", - "items": { - "type": "string" + "created_at": { + "type": "string", + "format": "date-time", + "example": "2022-06-01T17:07:17.767Z" }, - "example": [] - }, - "connector": { - "type": "object", - "properties": { - "fields": { - "description": "An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.", - "nullable": true, + "created_by": { + "type": "object", + "properties": { + "email": { + "type": "string", + "example": null + }, + "full_name": { + "type": "string", + "example": null + }, + "username": { + "type": "string", + "example": "elastic" + } + } + }, + "error": { + "type": "string", + "example": null + }, + "id": { + "type": "string", + "example": "4a97a440-e1cd-11ec-be9b-9b1838238ee6" + }, + "mappings": { + "type": "array", + "items": { "type": "object", "properties": { - "caseId": { - "description": "The case identifier for Swimlane connectors.", - "type": "string" - }, - "category": { - "description": "The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.", - "type": "string" + "action_type": { + "type": "string", + "example": "overwrite" }, - "destIp": { - "description": "A comma-separated list of destination IPs for ServiceNow SecOps connectors.", - "type": "string" - }, - "impact": { - "description": "The effect an incident had on business for ServiceNow ITSM connectors.", - "type": "string" + "source": { + "type": "string", + "example": "title" }, - "issueType": { + "target": { + "type": "string", + "example": "summary" + } + } + } + }, + "owner": { + "$ref": "#/components/schemas/owners" + }, + "updated_at": { + "type": "string", + "format": "date-time", + "nullable": true, + "example": "2022-06-01T19:58:48.169Z" + }, + "updated_by": { + "type": "object", + "properties": { + "email": { + "type": "string", + "example": null + }, + "full_name": { + "type": "string", + "example": null + }, + "username": { + "type": "string", + "example": "elastic" + } + }, + "nullable": true + }, + "version": { + "type": "string", + "example": "WzIwNzMsMV0=" + } + } + } + } + } + } + } + }, + "servers": [ + { + "url": "https://localhost:5601" + } + ] + }, + "servers": [ + { + "url": "https://localhost:5601" + } + ] + }, + "/api/cases/configure/{configurationId}": { + "patch": { + "description": "Updates external connection details, such as the closure type and default connector for cases. You must have all privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case configuration. Connectors are used to interface with external systems. You must create a connector before you can it in your cases. Refer to the add connectors API.\n", + "tags": [ + "cases", + "kibana" + ], + "parameters": [ + { + "$ref": "#/components/parameters/kbn_xsrf" + }, + { + "$ref": "#/components/parameters/configuration_id" + } + ], + "requestBody": { + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "closure_type": { + "$ref": "#/components/schemas/closure_types" + }, + "connector": { + "description": "An object that contains the connector configuration.", + "type": "object", + "properties": { + "fields": { + "description": "An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.", + "nullable": true, + "type": "object", + "properties": { + "caseId": { + "description": "The case identifier for Swimlane connectors.", + "type": "string" + }, + "category": { + "description": "The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.", + "type": "string" + }, + "destIp": { + "description": "A comma-separated list of destination IPs for ServiceNow SecOps connectors.", + "type": "string" + }, + "impact": { + "description": "The effect an incident had on business for ServiceNow ITSM connectors.", + "type": "string" + }, + "issueType": { + "description": "The type of issue for Jira connectors.", + "type": "string" + }, + "issueTypes": { + "description": "The type of incident for IBM Resilient connectors.", + "type": "array", + "items": { + "type": "number" + } + }, + "malwareHash": { + "description": "A comma-separated list of malware hashes for ServiceNow SecOps connectors.", + "type": "string" + }, + "malwareUrl": { + "description": "A comma-separated list of malware URLs for ServiceNow SecOps connectors.", + "type": "string" + }, + "parent": { + "description": "The key of the parent issue, when the issue type is sub-task for Jira connectors.", + "type": "string" + }, + "priority": { + "description": "The priority of the issue for Jira and ServiceNow SecOps connectors.", + "type": "string" + }, + "severity": { + "description": "The severity of the incident for ServiceNow ITSM connectors.", + "type": "string" + }, + "severityCode": { + "description": "The severity code of the incident for IBM Resilient connectors.", + "type": "number" + }, + "sourceIp": { + "description": "A comma-separated list of source IPs for ServiceNow SecOps connectors.", + "type": "string" + }, + "subcategory": { + "description": "The subcategory of the incident for ServiceNow ITSM connectors.", + "type": "string" + }, + "urgency": { + "description": "The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.", + "type": "string" + } + }, + "example": null + }, + "id": { + "description": "The identifier for the connector. To create a case without a connector, use `none`.", + "type": "string", + "example": "none" + }, + "name": { + "description": "The name of the connector. To create a case without a connector, use `none`.", + "type": "string", + "example": "none" + }, + "type": { + "$ref": "#/components/schemas/connector_types" + } + }, + "required": [ + "fields", + "id", + "name", + "type" + ] + }, + "version": { + "description": "The version of the connector. To retrieve the version value, use the get configuration API.\n", + "type": "string", + "example": "WzIwMiwxXQ==" + } + }, + "required": [ + "version" + ] + } + } + } + }, + "responses": { + "200": { + "description": "Indicates a successful call.", + "content": { + "application/json; charset=utf-8": { + "schema": { + "type": "array", + "items": { + "type": "object", + "properties": { + "closure_type": { + "$ref": "#/components/schemas/closure_types" + }, + "connector": { + "type": "object", + "properties": { + "fields": { + "description": "An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.", + "nullable": true, + "type": "object", + "properties": { + "caseId": { + "description": "The case identifier for Swimlane connectors.", + "type": "string" + }, + "category": { + "description": "The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.", + "type": "string" + }, + "destIp": { + "description": "A comma-separated list of destination IPs for ServiceNow SecOps connectors.", + "type": "string" + }, + "impact": { + "description": "The effect an incident had on business for ServiceNow ITSM connectors.", + "type": "string" + }, + "issueType": { + "description": "The type of issue for Jira connectors.", + "type": "string" + }, + "issueTypes": { + "description": "The type of incident for IBM Resilient connectors.", + "type": "array", + "items": { + "type": "number" + } + }, + "malwareHash": { + "description": "A comma-separated list of malware hashes for ServiceNow SecOps connectors.", + "type": "string" + }, + "malwareUrl": { + "description": "A comma-separated list of malware URLs for ServiceNow SecOps connectors.", + "type": "string" + }, + "parent": { + "description": "The key of the parent issue, when the issue type is sub-task for Jira connectors.", + "type": "string" + }, + "priority": { + "description": "The priority of the issue for Jira and ServiceNow SecOps connectors.", + "type": "string" + }, + "severity": { + "description": "The severity of the incident for ServiceNow ITSM connectors.", + "type": "string" + }, + "severityCode": { + "description": "The severity code of the incident for IBM Resilient connectors.", + "type": "number" + }, + "sourceIp": { + "description": "A comma-separated list of source IPs for ServiceNow SecOps connectors.", + "type": "string" + }, + "subcategory": { + "description": "The subcategory of the incident for ServiceNow ITSM connectors.", + "type": "string" + }, + "urgency": { + "description": "The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.", + "type": "string" + } + }, + "example": null + }, + "id": { + "description": "The identifier for the connector. To create a case without a connector, use `none`.", + "type": "string", + "example": "none" + }, + "name": { + "description": "The name of the connector. To create a case without a connector, use `none`.", + "type": "string", + "example": "none" + }, + "type": { + "$ref": "#/components/schemas/connector_types" + } + } + }, + "created_at": { + "type": "string", + "format": "date-time", + "example": "2022-06-01T17:07:17.767Z" + }, + "created_by": { + "type": "object", + "properties": { + "email": { + "type": "string", + "example": null + }, + "full_name": { + "type": "string", + "example": null + }, + "username": { + "type": "string", + "example": "elastic" + } + } + }, + "error": { + "type": "string", + "example": null + }, + "id": { + "type": "string", + "example": "4a97a440-e1cd-11ec-be9b-9b1838238ee6" + }, + "mappings": { + "type": "array", + "items": { + "type": "object", + "properties": { + "action_type": { + "type": "string", + "example": "overwrite" + }, + "source": { + "type": "string", + "example": "title" + }, + "target": { + "type": "string", + "example": "summary" + } + } + } + }, + "owner": { + "$ref": "#/components/schemas/owners" + }, + "updated_at": { + "type": "string", + "format": "date-time", + "nullable": true, + "example": "2022-06-01T19:58:48.169Z" + }, + "updated_by": { + "type": "object", + "properties": { + "email": { + "type": "string", + "example": null + }, + "full_name": { + "type": "string", + "example": null + }, + "username": { + "type": "string", + "example": "elastic" + } + }, + "nullable": true + }, + "version": { + "type": "string", + "example": "WzIwNzMsMV0=" + } + } + } + } + } + } + } + }, + "servers": [ + { + "url": "https://localhost:5601" + } + ] + }, + "servers": [ + { + "url": "https://localhost:5601" + } + ] + }, + "/s/{spaceId}/api/cases": { + "post": { + "description": "Creates a case. You must have all privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're creating.\n", + "tags": [ + "cases", + "kibana" + ], + "parameters": [ + { + "$ref": "#/components/parameters/kbn_xsrf" + }, + { + "$ref": "#/components/parameters/space_id" + } + ], + "requestBody": { + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "connector": { + "description": "An object that contains the connector configuration.", + "type": "object", + "properties": { + "fields": { + "description": "An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.", + "nullable": true, + "type": "object", + "properties": { + "caseId": { + "description": "The case identifier for Swimlane connectors.", + "type": "string" + }, + "category": { + "description": "The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.", + "type": "string" + }, + "destIp": { + "description": "A comma-separated list of destination IPs for ServiceNow SecOps connectors.", + "type": "string" + }, + "impact": { + "description": "The effect an incident had on business for ServiceNow ITSM connectors.", + "type": "string" + }, + "issueType": { + "description": "The type of issue for Jira connectors.", + "type": "string" + }, + "issueTypes": { + "description": "The type of incident for IBM Resilient connectors.", + "type": "array", + "items": { + "type": "number" + } + }, + "malwareHash": { + "description": "A comma-separated list of malware hashes for ServiceNow SecOps connectors.", + "type": "string" + }, + "malwareUrl": { + "description": "A comma-separated list of malware URLs for ServiceNow SecOps connectors.", + "type": "string" + }, + "parent": { + "description": "The key of the parent issue, when the issue type is sub-task for Jira connectors.", + "type": "string" + }, + "priority": { + "description": "The priority of the issue for Jira and ServiceNow SecOps connectors.", + "type": "string" + }, + "severity": { + "description": "The severity of the incident for ServiceNow ITSM connectors.", + "type": "string" + }, + "severityCode": { + "description": "The severity code of the incident for IBM Resilient connectors.", + "type": "number" + }, + "sourceIp": { + "description": "A comma-separated list of source IPs for ServiceNow SecOps connectors.", + "type": "string" + }, + "subcategory": { + "description": "The subcategory of the incident for ServiceNow ITSM connectors.", + "type": "string" + }, + "urgency": { + "description": "The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.", + "type": "string" + } + }, + "example": null + }, + "id": { + "description": "The identifier for the connector. To create a case without a connector, use `none`.", + "type": "string", + "example": "none" + }, + "name": { + "description": "The name of the connector. To create a case without a connector, use `none`.", + "type": "string", + "example": "none" + }, + "type": { + "$ref": "#/components/schemas/connector_types" + } + }, + "required": [ + "fields", + "id", + "name", + "type" + ] + }, + "description": { + "description": "The description for the case.", + "type": "string" + }, + "owner": { + "$ref": "#/components/schemas/owners" + }, + "settings": { + "description": "An object that contains the case settings.", + "type": "object", + "properties": { + "syncAlerts": { + "description": "Turns alert syncing on or off.", + "type": "boolean" + } + } + }, + "severity": { + "$ref": "#/components/schemas/severity_property" + }, + "tags": { + "description": "The words and phrases that help categorize cases. It can be an empty array.", + "type": "array", + "items": { + "type": "string" + } + }, + "title": { + "description": "A title for the case.", + "type": "string" + } + }, + "required": [ + "connector", + "description", + "owner", + "settings", + "tags", + "title" + ] + }, + "examples": { + "createCaseRequest": { + "$ref": "#/components/examples/create_case_request" + } + } + } + } + }, + "responses": { + "200": { + "description": "Indicates a successful call.", + "content": { + "application/json; charset=utf-8": { + "schema": { + "type": "object", + "properties": { + "closed_at": { + "type": "string", + "format": "date-time", + "nullable": true, + "example": null + }, + "closed_by": { + "type": "object", + "properties": { + "email": { + "type": "string" + }, + "full_name": { + "type": "string" + }, + "username": { + "type": "string" + } + }, + "nullable": true, + "example": null + }, + "comments": { + "type": "array", + "items": { + "type": "string" + }, + "example": [] + }, + "connector": { + "type": "object", + "properties": { + "fields": { + "description": "An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.", + "nullable": true, + "type": "object", + "properties": { + "caseId": { + "description": "The case identifier for Swimlane connectors.", + "type": "string" + }, + "category": { + "description": "The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.", + "type": "string" + }, + "destIp": { + "description": "A comma-separated list of destination IPs for ServiceNow SecOps connectors.", + "type": "string" + }, + "impact": { + "description": "The effect an incident had on business for ServiceNow ITSM connectors.", + "type": "string" + }, + "issueType": { + "description": "The type of issue for Jira connectors.", + "type": "string" + }, + "issueTypes": { + "description": "The type of incident for IBM Resilient connectors.", + "type": "array", + "items": { + "type": "number" + } + }, + "malwareHash": { + "description": "A comma-separated list of malware hashes for ServiceNow SecOps connectors.", + "type": "string" + }, + "malwareUrl": { + "description": "A comma-separated list of malware URLs for ServiceNow SecOps connectors.", + "type": "string" + }, + "parent": { + "description": "The key of the parent issue, when the issue type is sub-task for Jira connectors.", + "type": "string" + }, + "priority": { + "description": "The priority of the issue for Jira and ServiceNow SecOps connectors.", + "type": "string" + }, + "severity": { + "description": "The severity of the incident for ServiceNow ITSM connectors.", + "type": "string" + }, + "severityCode": { + "description": "The severity code of the incident for IBM Resilient connectors.", + "type": "number" + }, + "sourceIp": { + "description": "A comma-separated list of source IPs for ServiceNow SecOps connectors.", + "type": "string" + }, + "subcategory": { + "description": "The subcategory of the incident for ServiceNow ITSM connectors.", + "type": "string" + }, + "urgency": { + "description": "The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.", + "type": "string" + } + }, + "example": null + }, + "id": { + "description": "The identifier for the connector. To create a case without a connector, use `none`.", + "type": "string", + "example": "none" + }, + "name": { + "description": "The name of the connector. To create a case without a connector, use `none`.", + "type": "string", + "example": "none" + }, + "type": { + "$ref": "#/components/schemas/connector_types" + } + } + }, + "created_at": { + "type": "string", + "format": "date-time", + "example": "2022-05-13T09:16:17.416Z" + }, + "created_by": { + "type": "object", + "properties": { + "email": { + "type": "string", + "example": null + }, + "full_name": { + "type": "string", + "example": null + }, + "username": { + "type": "string", + "example": "elastic" + } + } + }, + "description": { + "type": "string", + "example": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active. Repeat - operation bubblegum is now active" + }, + "duration": { + "type": "integer", + "description": "The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null.", + "example": 120 + }, + "external_service": { + "type": "object", + "properties": { + "connector_id": { + "type": "string" + }, + "connector_name": { + "type": "string" + }, + "external_id": { + "type": "string" + }, + "external_title": { + "type": "string" + }, + "external_url": { + "type": "string" + }, + "pushed_at": { + "type": "string", + "format": "date-time" + }, + "pushed_by": { + "type": "object", + "properties": { + "email": { + "type": "string" + }, + "full_name": { + "type": "string" + }, + "username": { + "type": "string" + } + }, + "nullable": true, + "example": null + } + } + }, + "id": { + "type": "string", + "example": "66b9aa00-94fa-11ea-9f74-e7e108796192" + }, + "owner": { + "$ref": "#/components/schemas/owners" + }, + "settings": { + "type": "object", + "properties": { + "syncAlerts": { + "type": "boolean", + "example": true + } + } + }, + "severity": { + "$ref": "#/components/schemas/severity_property" + }, + "status": { + "$ref": "#/components/schemas/status" + }, + "tags": { + "type": "array", + "items": { + "type": "string" + }, + "example": [ + "phishing", + "social engineering", + "bubblegum" + ] + }, + "title": { + "type": "string", + "example": "This case will self-destruct in 5 seconds" + }, + "totalAlerts": { + "type": "integer", + "example": 0 + }, + "totalComment": { + "type": "integer", + "example": 0 + }, + "updated_at": { + "type": "string", + "format": "date-time", + "nullable": true, + "example": null + }, + "updated_by": { + "type": "object", + "properties": { + "email": { + "type": "string" + }, + "full_name": { + "type": "string" + }, + "username": { + "type": "string" + } + }, + "nullable": true, + "example": null + }, + "version": { + "type": "string", + "example": "WzUzMiwxXQ==" + } + } + }, + "examples": { + "createCaseResponse": { + "$ref": "#/components/examples/create_case_response" + } + } + } + } + } + }, + "servers": [ + { + "url": "https://localhost:5601" + } + ] + }, + "delete": { + "description": "Deletes one or more cases. You must have all privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're deleting.\n", + "tags": [ + "cases", + "kibana" + ], + "parameters": [ + { + "$ref": "#/components/parameters/kbn_xsrf" + }, + { + "$ref": "#/components/parameters/space_id" + }, + { + "name": "ids", + "description": "The cases that you want to removed. All non-ASCII characters must be URL encoded.", + "in": "query", + "required": true, + "schema": { + "type": "string" + }, + "example": "d4e7abb0-b462-11ec-9a8d-698504725a43" + } + ], + "responses": { + "204": { + "description": "Indicates a successful call." + } + }, + "servers": [ + { + "url": "https://localhost:5601" + } + ] + }, + "patch": { + "description": "Updates one or more cases. You must have all privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're updating.\n", + "tags": [ + "cases", + "kibana" + ], + "parameters": [ + { + "$ref": "#/components/parameters/kbn_xsrf" + }, + { + "$ref": "#/components/parameters/space_id" + } + ], + "requestBody": { + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "cases": { + "type": "array", + "items": { + "type": "object", + "properties": { + "connector": { + "description": "An object that contains the connector configuration.", + "type": "object", + "properties": { + "fields": { + "description": "An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.", + "nullable": true, + "type": "object", + "properties": { + "caseId": { + "description": "The case identifier for Swimlane connectors.", + "type": "string" + }, + "category": { + "description": "The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.", + "type": "string" + }, + "destIp": { + "description": "A comma-separated list of destination IPs for ServiceNow SecOps connectors.", + "type": "string" + }, + "impact": { + "description": "The effect an incident had on business for ServiceNow ITSM connectors.", + "type": "string" + }, + "issueType": { + "description": "The type of issue for Jira connectors.", + "type": "string" + }, + "issueTypes": { + "description": "The type of incident for IBM Resilient connectors.", + "type": "array", + "items": { + "type": "number" + } + }, + "malwareHash": { + "description": "A comma-separated list of malware hashes for ServiceNow SecOps connectors.", + "type": "string" + }, + "malwareUrl": { + "description": "A comma-separated list of malware URLs for ServiceNow SecOps connectors.", + "type": "string" + }, + "parent": { + "description": "The key of the parent issue, when the issue type is sub-task for Jira connectors.", + "type": "string" + }, + "priority": { + "description": "The priority of the issue for Jira and ServiceNow SecOps connectors.", + "type": "string" + }, + "severity": { + "description": "The severity of the incident for ServiceNow ITSM connectors.", + "type": "string" + }, + "severityCode": { + "description": "The severity code of the incident for IBM Resilient connectors.", + "type": "number" + }, + "sourceIp": { + "description": "A comma-separated list of source IPs for ServiceNow SecOps connectors.", + "type": "string" + }, + "subcategory": { + "description": "The subcategory of the incident for ServiceNow ITSM connectors.", + "type": "string" + }, + "urgency": { + "description": "The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.", + "type": "string" + } + }, + "example": null + }, + "id": { + "description": "The identifier for the connector. To create a case without a connector, use `none`.", + "type": "string", + "example": "none" + }, + "name": { + "description": "The name of the connector. To create a case without a connector, use `none`.", + "type": "string", + "example": "none" + }, + "type": { + "$ref": "#/components/schemas/connector_types" + } + }, + "required": [ + "fields", + "id", + "name", + "type" + ] + }, + "description": { + "description": "The description for the case.", + "type": "string" + }, + "id": { + "description": "The identifier for the case.", + "type": "string" + }, + "settings": { + "description": "An object that contains the case settings.", + "type": "object", + "properties": { + "syncAlerts": { + "description": "Turns alert syncing on or off.", + "type": "boolean" + } + } + }, + "severity": { + "$ref": "#/components/schemas/severity_property" + }, + "status": { + "$ref": "#/components/schemas/status" + }, + "tags": { + "description": "The words and phrases that help categorize cases.", + "type": "array", + "items": { + "type": "string" + } + }, + "title": { + "description": "A title for the case.", + "type": "string" + }, + "version": { + "description": "The current version of the case.", + "type": "string" + } + }, + "required": [ + "id", + "version" + ] + } + } + } + }, + "examples": { + "updateCaseRequest": { + "$ref": "#/components/examples/update_case_request" + } + } + } + } + }, + "responses": { + "200": { + "description": "Indicates a successful call.", + "content": { + "application/json; charset=utf-8": { + "schema": { + "type": "object", + "properties": { + "closed_at": { + "type": "string", + "format": "date-time", + "nullable": true, + "example": null + }, + "closed_by": { + "type": "object", + "properties": { + "email": { + "type": "string" + }, + "full_name": { + "type": "string" + }, + "username": { + "type": "string" + } + }, + "nullable": true, + "example": null + }, + "comments": { + "type": "array", + "items": { + "type": "string" + }, + "example": [] + }, + "connector": { + "type": "object", + "properties": { + "fields": { + "description": "An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.", + "nullable": true, + "type": "object", + "properties": { + "caseId": { + "description": "The case identifier for Swimlane connectors.", + "type": "string" + }, + "category": { + "description": "The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.", + "type": "string" + }, + "destIp": { + "description": "A comma-separated list of destination IPs for ServiceNow SecOps connectors.", + "type": "string" + }, + "impact": { + "description": "The effect an incident had on business for ServiceNow ITSM connectors.", + "type": "string" + }, + "issueType": { "description": "The type of issue for Jira connectors.", "type": "string" }, - "issueTypes": { - "description": "The type of incident for IBM Resilient connectors.", - "type": "array", - "items": { + "issueTypes": { + "description": "The type of incident for IBM Resilient connectors.", + "type": "array", + "items": { + "type": "number" + } + }, + "malwareHash": { + "description": "A comma-separated list of malware hashes for ServiceNow SecOps connectors.", + "type": "string" + }, + "malwareUrl": { + "description": "A comma-separated list of malware URLs for ServiceNow SecOps connectors.", + "type": "string" + }, + "parent": { + "description": "The key of the parent issue, when the issue type is sub-task for Jira connectors.", + "type": "string" + }, + "priority": { + "description": "The priority of the issue for Jira and ServiceNow SecOps connectors.", + "type": "string" + }, + "severity": { + "description": "The severity of the incident for ServiceNow ITSM connectors.", + "type": "string" + }, + "severityCode": { + "description": "The severity code of the incident for IBM Resilient connectors.", + "type": "number" + }, + "sourceIp": { + "description": "A comma-separated list of source IPs for ServiceNow SecOps connectors.", + "type": "string" + }, + "subcategory": { + "description": "The subcategory of the incident for ServiceNow ITSM connectors.", + "type": "string" + }, + "urgency": { + "description": "The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.", + "type": "string" + } + }, + "example": null + }, + "id": { + "description": "The identifier for the connector. To create a case without a connector, use `none`.", + "type": "string", + "example": "none" + }, + "name": { + "description": "The name of the connector. To create a case without a connector, use `none`.", + "type": "string", + "example": "none" + }, + "type": { + "$ref": "#/components/schemas/connector_types" + } + } + }, + "created_at": { + "type": "string", + "format": "date-time", + "example": "2022-05-13T09:16:17.416Z" + }, + "created_by": { + "type": "object", + "properties": { + "email": { + "type": "string", + "example": null + }, + "full_name": { + "type": "string", + "example": null + }, + "username": { + "type": "string", + "example": "elastic" + } + } + }, + "description": { + "type": "string", + "example": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active. Repeat - operation bubblegum is now active" + }, + "duration": { + "type": "integer", + "description": "The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null.", + "example": 120 + }, + "external_service": { + "type": "object", + "properties": { + "connector_id": { + "type": "string" + }, + "connector_name": { + "type": "string" + }, + "external_id": { + "type": "string" + }, + "external_title": { + "type": "string" + }, + "external_url": { + "type": "string" + }, + "pushed_at": { + "type": "string", + "format": "date-time" + }, + "pushed_by": { + "type": "object", + "properties": { + "email": { + "type": "string" + }, + "full_name": { + "type": "string" + }, + "username": { + "type": "string" + } + }, + "nullable": true, + "example": null + } + } + }, + "id": { + "type": "string", + "example": "66b9aa00-94fa-11ea-9f74-e7e108796192" + }, + "owner": { + "$ref": "#/components/schemas/owners" + }, + "settings": { + "type": "object", + "properties": { + "syncAlerts": { + "type": "boolean", + "example": true + } + } + }, + "severity": { + "$ref": "#/components/schemas/severity_property" + }, + "status": { + "$ref": "#/components/schemas/status" + }, + "tags": { + "type": "array", + "items": { + "type": "string" + }, + "example": [ + "phishing", + "social engineering", + "bubblegum" + ] + }, + "title": { + "type": "string", + "example": "This case will self-destruct in 5 seconds" + }, + "totalAlerts": { + "type": "integer", + "example": 0 + }, + "totalComment": { + "type": "integer", + "example": 0 + }, + "updated_at": { + "type": "string", + "format": "date-time", + "nullable": true, + "example": null + }, + "updated_by": { + "type": "object", + "properties": { + "email": { + "type": "string" + }, + "full_name": { + "type": "string" + }, + "username": { + "type": "string" + } + }, + "nullable": true, + "example": null + }, + "version": { + "type": "string", + "example": "WzUzMiwxXQ==" + } + } + }, + "examples": { + "updateCaseResponse": { + "$ref": "#/components/examples/update_case_response" + } + } + } + } + } + }, + "servers": [ + { + "url": "https://localhost:5601" + } + ] + }, + "servers": [ + { + "url": "https://localhost:5601" + } + ] + }, + "/s/{spaceId}/api/cases/_find": { + "get": { + "description": "Retrieves a paginated subset of cases. You must have read privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking.\n", + "tags": [ + "cases", + "kibana" + ], + "parameters": [ + { + "$ref": "#/components/parameters/space_id" + }, + { + "name": "defaultSearchOperator", + "in": "query", + "description": "The default operator to use for the simple_query_string.", + "schema": { + "type": "string", + "default": "OR" + }, + "example": "OR" + }, + { + "name": "fields", + "in": "query", + "description": "The fields in the entity to return in the response.", + "schema": { + "type": "array", + "items": { + "type": "string" + } + } + }, + { + "name": "from", + "in": "query", + "description": "[preview] Returns only cases that were created after a specific date. The date must be specified as a KQL data range or date match expression. This functionality is in technical preview and may be changed or removed in a future release. Elastic will apply best effort to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.\n", + "schema": { + "type": "string" + }, + "example": "now-1d" + }, + { + "$ref": "#/components/parameters/owner" + }, + { + "name": "page", + "in": "query", + "description": "The page number to return.", + "schema": { + "type": "integer", + "default": 1 + }, + "example": 1 + }, + { + "name": "perPage", + "in": "query", + "description": "The number of rules to return per page.", + "schema": { + "type": "integer", + "default": 20 + }, + "example": 20 + }, + { + "name": "reporters", + "in": "query", + "description": "Filters the returned cases by the user name of the reporter.", + "schema": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "array", + "items": { + "type": "string" + } + } + ] + }, + "example": "elastic" + }, + { + "name": "search", + "in": "query", + "description": "An Elasticsearch simple_query_string query that filters the objects in the response.", + "schema": { + "type": "string" + } + }, + { + "name": "searchFields", + "in": "query", + "description": "The fields to perform the simple_query_string parsed query against.", + "schema": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "array", + "items": { + "type": "string" + } + } + ] + } + }, + { + "$ref": "#/components/parameters/severity" + }, + { + "name": "sortField", + "in": "query", + "description": "Determines which field is used to sort the results.", + "schema": { + "type": "string", + "enum": [ + "createdAt", + "updatedAt" + ], + "default": "createdAt" + }, + "example": "updatedAt" + }, + { + "name": "sortOrder", + "in": "query", + "description": "Determines the sort order.", + "schema": { + "type": "string", + "enum": [ + "asc", + "desc" + ], + "default": "desc" + }, + "example": "asc" + }, + { + "name": "status", + "in": "query", + "description": "Filters the returned cases by state.", + "schema": { + "type": "string", + "enum": [ + "closed", + "in-progress", + "open" + ] + }, + "example": "open" + }, + { + "name": "tags", + "in": "query", + "description": "Filters the returned cases by tags.", + "schema": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "array", + "items": { + "type": "string" + } + } + ] + }, + "example": "phishing" + }, + { + "name": "to", + "in": "query", + "description": "[preview] Returns only cases that were created before a specific date. The date must be specified as a KQL data range or date match expression. This functionality is in technical preview and may be changed or removed in a future release. Elastic will apply best effort to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.\n", + "schema": { + "type": "string" + }, + "example": "now+1d" + } + ], + "responses": { + "200": { + "description": "Indicates a successful call.", + "content": { + "application/json; charset=utf-8": { + "schema": { + "type": "object", + "properties": { + "cases": { + "type": "array", + "items": { + "type": "object", + "properties": { + "closed_at": { + "type": "string", + "format": "date-time", + "nullable": true, + "example": null + }, + "closed_by": { + "type": "object", + "properties": { + "email": { + "type": "string" + }, + "full_name": { + "type": "string" + }, + "username": { + "type": "string" + } + }, + "nullable": true, + "example": null + }, + "comments": { + "type": "array", + "items": { + "type": "string" + }, + "example": [] + }, + "connector": { + "type": "object", + "properties": { + "fields": { + "description": "An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.", + "nullable": true, + "type": "object", + "properties": { + "caseId": { + "description": "The case identifier for Swimlane connectors.", + "type": "string" + }, + "category": { + "description": "The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.", + "type": "string" + }, + "destIp": { + "description": "A comma-separated list of destination IPs for ServiceNow SecOps connectors.", + "type": "string" + }, + "impact": { + "description": "The effect an incident had on business for ServiceNow ITSM connectors.", + "type": "string" + }, + "issueType": { + "description": "The type of issue for Jira connectors.", + "type": "string" + }, + "issueTypes": { + "description": "The type of incident for IBM Resilient connectors.", + "type": "array", + "items": { + "type": "number" + } + }, + "malwareHash": { + "description": "A comma-separated list of malware hashes for ServiceNow SecOps connectors.", + "type": "string" + }, + "malwareUrl": { + "description": "A comma-separated list of malware URLs for ServiceNow SecOps connectors.", + "type": "string" + }, + "parent": { + "description": "The key of the parent issue, when the issue type is sub-task for Jira connectors.", + "type": "string" + }, + "priority": { + "description": "The priority of the issue for Jira and ServiceNow SecOps connectors.", + "type": "string" + }, + "severity": { + "description": "The severity of the incident for ServiceNow ITSM connectors.", + "type": "string" + }, + "severityCode": { + "description": "The severity code of the incident for IBM Resilient connectors.", + "type": "number" + }, + "sourceIp": { + "description": "A comma-separated list of source IPs for ServiceNow SecOps connectors.", + "type": "string" + }, + "subcategory": { + "description": "The subcategory of the incident for ServiceNow ITSM connectors.", + "type": "string" + }, + "urgency": { + "description": "The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.", + "type": "string" + } + }, + "example": null + }, + "id": { + "description": "The identifier for the connector. To create a case without a connector, use `none`.", + "type": "string", + "example": "none" + }, + "name": { + "description": "The name of the connector. To create a case without a connector, use `none`.", + "type": "string", + "example": "none" + }, + "type": { + "$ref": "#/components/schemas/connector_types" + } + } + }, + "created_at": { + "type": "string", + "format": "date-time", + "example": "2022-05-13T09:16:17.416Z" + }, + "created_by": { + "type": "object", + "properties": { + "email": { + "type": "string", + "example": null + }, + "full_name": { + "type": "string", + "example": null + }, + "username": { + "type": "string", + "example": "elastic" + } + } + }, + "description": { + "type": "string", + "example": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active. Repeat - operation bubblegum is now active" + }, + "duration": { + "type": "integer", + "description": "The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null.", + "example": 120 + }, + "external_service": { + "type": "object", + "properties": { + "connector_id": { + "type": "string" + }, + "connector_name": { + "type": "string" + }, + "external_id": { + "type": "string" + }, + "external_title": { + "type": "string" + }, + "external_url": { + "type": "string" + }, + "pushed_at": { + "type": "string", + "format": "date-time" + }, + "pushed_by": { + "type": "object", + "properties": { + "email": { + "type": "string" + }, + "full_name": { + "type": "string" + }, + "username": { + "type": "string" + } + }, + "nullable": true, + "example": null + } + } + }, + "id": { + "type": "string", + "example": "66b9aa00-94fa-11ea-9f74-e7e108796192" + }, + "owner": { + "$ref": "#/components/schemas/owners" + }, + "settings": { + "type": "object", + "properties": { + "syncAlerts": { + "type": "boolean", + "example": true + } + } + }, + "severity": { + "$ref": "#/components/schemas/severity_property" + }, + "status": { + "$ref": "#/components/schemas/status" + }, + "tags": { + "type": "array", + "items": { + "type": "string" + }, + "example": [ + "phishing", + "social engineering", + "bubblegum" + ] + }, + "title": { + "type": "string", + "example": "This case will self-destruct in 5 seconds" + }, + "totalAlerts": { + "type": "integer", + "example": 0 + }, + "totalComment": { + "type": "integer", + "example": 0 + }, + "updated_at": { + "type": "string", + "format": "date-time", + "nullable": true, + "example": null + }, + "updated_by": { + "type": "object", + "properties": { + "email": { + "type": "string" + }, + "full_name": { + "type": "string" + }, + "username": { + "type": "string" + } + }, + "nullable": true, + "example": null + }, + "version": { + "type": "string", + "example": "WzUzMiwxXQ==" + } + } + } + }, + "count_closed_cases": { + "type": "integer" + }, + "count_in_progress_cases": { + "type": "integer" + }, + "count_open_cases": { + "type": "integer" + }, + "page": { + "type": "integer" + }, + "per_page": { + "type": "integer" + }, + "total": { + "type": "integer" + } + } + }, + "examples": { + "findCaseResponse": { + "$ref": "#/components/examples/find_case_response" + } + } + } + } + } + }, + "servers": [ + { + "url": "https://localhost:5601" + } + ] + }, + "servers": [ + { + "url": "https://localhost:5601" + } + ] + }, + "/s/{spaceId}/api/cases/alerts/{alertId}": { + "get": { + "description": "Returns the cases associated with a specific alert. You must have read privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking.\n", + "x-technical-preview": true, + "tags": [ + "cases", + "kibana" + ], + "parameters": [ + { + "$ref": "#/components/parameters/alert_id" + }, + { + "$ref": "#/components/parameters/space_id" + }, + { + "$ref": "#/components/parameters/owner" + } + ], + "responses": { + "200": { + "description": "Indicates a successful call.", + "content": { + "application/json; charset=utf-8": { + "schema": { + "type": "array", + "items": { + "type": "object", + "properties": { + "id": { + "type": "string", + "description": "The case identifier." + }, + "title": { + "type": "string", + "description": "The case title." + } + } + }, + "example": [ + { + "id": "06116b80-e1c3-11ec-be9b-9b1838238ee6", + "title": "security_case" + } + ] + } + } + } + } + }, + "servers": [ + { + "url": "https://localhost:5601" + } + ] + }, + "servers": [ + { + "url": "https://localhost:5601" + } + ] + }, + "/s/{spaceId}/api/cases/configure": { + "get": { + "description": "Retrieves external connection details, such as the closure type and default connector for cases. You must have read privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case configuration.\n", + "tags": [ + "cases", + "kibana" + ], + "parameters": [ + { + "$ref": "#/components/parameters/space_id" + }, + { + "$ref": "#/components/parameters/owner" + } + ], + "responses": { + "200": { + "description": "Indicates a successful call.", + "content": { + "application/json; charset=utf-8": { + "schema": { + "type": "array", + "items": { + "type": "object", + "properties": { + "closure_type": { + "$ref": "#/components/schemas/closure_types" + }, + "connector": { + "type": "object", + "properties": { + "fields": { + "description": "An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.", + "nullable": true, + "type": "object", + "properties": { + "caseId": { + "description": "The case identifier for Swimlane connectors.", + "type": "string" + }, + "category": { + "description": "The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.", + "type": "string" + }, + "destIp": { + "description": "A comma-separated list of destination IPs for ServiceNow SecOps connectors.", + "type": "string" + }, + "impact": { + "description": "The effect an incident had on business for ServiceNow ITSM connectors.", + "type": "string" + }, + "issueType": { + "description": "The type of issue for Jira connectors.", + "type": "string" + }, + "issueTypes": { + "description": "The type of incident for IBM Resilient connectors.", + "type": "array", + "items": { + "type": "number" + } + }, + "malwareHash": { + "description": "A comma-separated list of malware hashes for ServiceNow SecOps connectors.", + "type": "string" + }, + "malwareUrl": { + "description": "A comma-separated list of malware URLs for ServiceNow SecOps connectors.", + "type": "string" + }, + "parent": { + "description": "The key of the parent issue, when the issue type is sub-task for Jira connectors.", + "type": "string" + }, + "priority": { + "description": "The priority of the issue for Jira and ServiceNow SecOps connectors.", + "type": "string" + }, + "severity": { + "description": "The severity of the incident for ServiceNow ITSM connectors.", + "type": "string" + }, + "severityCode": { + "description": "The severity code of the incident for IBM Resilient connectors.", + "type": "number" + }, + "sourceIp": { + "description": "A comma-separated list of source IPs for ServiceNow SecOps connectors.", + "type": "string" + }, + "subcategory": { + "description": "The subcategory of the incident for ServiceNow ITSM connectors.", + "type": "string" + }, + "urgency": { + "description": "The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.", + "type": "string" + } + }, + "example": null + }, + "id": { + "description": "The identifier for the connector. To create a case without a connector, use `none`.", + "type": "string", + "example": "none" + }, + "name": { + "description": "The name of the connector. To create a case without a connector, use `none`.", + "type": "string", + "example": "none" + }, + "type": { + "$ref": "#/components/schemas/connector_types" + } + } + }, + "created_at": { + "type": "string", + "format": "date-time", + "example": "2022-06-01T17:07:17.767Z" + }, + "created_by": { + "type": "object", + "properties": { + "email": { + "type": "string", + "example": null + }, + "full_name": { + "type": "string", + "example": null + }, + "username": { + "type": "string", + "example": "elastic" + } + } + }, + "error": { + "type": "string", + "example": null + }, + "id": { + "type": "string", + "example": "4a97a440-e1cd-11ec-be9b-9b1838238ee6" + }, + "mappings": { + "type": "array", + "items": { + "type": "object", + "properties": { + "action_type": { + "type": "string", + "example": "overwrite" + }, + "source": { + "type": "string", + "example": "title" + }, + "target": { + "type": "string", + "example": "summary" + } + } + } + }, + "owner": { + "$ref": "#/components/schemas/owners" + }, + "updated_at": { + "type": "string", + "format": "date-time", + "nullable": true, + "example": "2022-06-01T19:58:48.169Z" + }, + "updated_by": { + "type": "object", + "properties": { + "email": { + "type": "string", + "example": null + }, + "full_name": { + "type": "string", + "example": null + }, + "username": { + "type": "string", + "example": "elastic" + } + }, + "nullable": true + }, + "version": { + "type": "string", + "example": "WzIwNzMsMV0=" + } + } + } + } + } + } + } + }, + "servers": [ + { + "url": "https://localhost:5601" + } + ] + }, + "post": { + "description": "Sets external connection details, such as the closure type and default connector for cases. You must have all privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case configuration. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. Refer to the add connectors API. If you set a default connector, it is automatically selected when you create cases in Kibana. If you use the create case API, however, you must still specify all of the connector details.\n", + "tags": [ + "cases", + "kibana" + ], + "parameters": [ + { + "$ref": "#/components/parameters/kbn_xsrf" + }, + { + "$ref": "#/components/parameters/space_id" + } + ], + "requestBody": { + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "closure_type": { + "$ref": "#/components/schemas/closure_types" + }, + "connector": { + "description": "An object that contains the connector configuration.", + "type": "object", + "properties": { + "fields": { + "description": "An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.", + "nullable": true, + "type": "object", + "properties": { + "caseId": { + "description": "The case identifier for Swimlane connectors.", + "type": "string" + }, + "category": { + "description": "The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.", + "type": "string" + }, + "destIp": { + "description": "A comma-separated list of destination IPs for ServiceNow SecOps connectors.", + "type": "string" + }, + "impact": { + "description": "The effect an incident had on business for ServiceNow ITSM connectors.", + "type": "string" + }, + "issueType": { + "description": "The type of issue for Jira connectors.", + "type": "string" + }, + "issueTypes": { + "description": "The type of incident for IBM Resilient connectors.", + "type": "array", + "items": { + "type": "number" + } + }, + "malwareHash": { + "description": "A comma-separated list of malware hashes for ServiceNow SecOps connectors.", + "type": "string" + }, + "malwareUrl": { + "description": "A comma-separated list of malware URLs for ServiceNow SecOps connectors.", + "type": "string" + }, + "parent": { + "description": "The key of the parent issue, when the issue type is sub-task for Jira connectors.", + "type": "string" + }, + "priority": { + "description": "The priority of the issue for Jira and ServiceNow SecOps connectors.", + "type": "string" + }, + "severity": { + "description": "The severity of the incident for ServiceNow ITSM connectors.", + "type": "string" + }, + "severityCode": { + "description": "The severity code of the incident for IBM Resilient connectors.", + "type": "number" + }, + "sourceIp": { + "description": "A comma-separated list of source IPs for ServiceNow SecOps connectors.", + "type": "string" + }, + "subcategory": { + "description": "The subcategory of the incident for ServiceNow ITSM connectors.", + "type": "string" + }, + "urgency": { + "description": "The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.", + "type": "string" + } + }, + "example": null + }, + "id": { + "description": "The identifier for the connector. To create a case without a connector, use `none`.", + "type": "string", + "example": "none" + }, + "name": { + "description": "The name of the connector. To create a case without a connector, use `none`.", + "type": "string", + "example": "none" + }, + "type": { + "$ref": "#/components/schemas/connector_types" + } + }, + "required": [ + "fields", + "id", + "name", + "type" + ] + }, + "owner": { + "$ref": "#/components/schemas/owners" + }, + "settings": { + "description": "An object that contains the case settings.", + "type": "object", + "properties": { + "syncAlerts": { + "description": "Turns alert syncing on or off.", + "type": "boolean", + "example": true + } + }, + "required": [ + "syncAlerts" + ] + } + }, + "required": [ + "closure_type", + "connector", + "owner" + ] + } + } + } + }, + "responses": { + "200": { + "description": "Indicates a successful call.", + "content": { + "application/json; charset=utf-8": { + "schema": { + "type": "array", + "items": { + "type": "object", + "properties": { + "closure_type": { + "$ref": "#/components/schemas/closure_types" + }, + "connector": { + "type": "object", + "properties": { + "fields": { + "description": "An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.", + "nullable": true, + "type": "object", + "properties": { + "caseId": { + "description": "The case identifier for Swimlane connectors.", + "type": "string" + }, + "category": { + "description": "The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.", + "type": "string" + }, + "destIp": { + "description": "A comma-separated list of destination IPs for ServiceNow SecOps connectors.", + "type": "string" + }, + "impact": { + "description": "The effect an incident had on business for ServiceNow ITSM connectors.", + "type": "string" + }, + "issueType": { + "description": "The type of issue for Jira connectors.", + "type": "string" + }, + "issueTypes": { + "description": "The type of incident for IBM Resilient connectors.", + "type": "array", + "items": { + "type": "number" + } + }, + "malwareHash": { + "description": "A comma-separated list of malware hashes for ServiceNow SecOps connectors.", + "type": "string" + }, + "malwareUrl": { + "description": "A comma-separated list of malware URLs for ServiceNow SecOps connectors.", + "type": "string" + }, + "parent": { + "description": "The key of the parent issue, when the issue type is sub-task for Jira connectors.", + "type": "string" + }, + "priority": { + "description": "The priority of the issue for Jira and ServiceNow SecOps connectors.", + "type": "string" + }, + "severity": { + "description": "The severity of the incident for ServiceNow ITSM connectors.", + "type": "string" + }, + "severityCode": { + "description": "The severity code of the incident for IBM Resilient connectors.", "type": "number" + }, + "sourceIp": { + "description": "A comma-separated list of source IPs for ServiceNow SecOps connectors.", + "type": "string" + }, + "subcategory": { + "description": "The subcategory of the incident for ServiceNow ITSM connectors.", + "type": "string" + }, + "urgency": { + "description": "The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.", + "type": "string" } }, - "malwareHash": { - "description": "A comma-separated list of malware hashes for ServiceNow SecOps connectors.", - "type": "string" - }, - "malwareUrl": { - "description": "A comma-separated list of malware URLs for ServiceNow SecOps connectors.", - "type": "string" - }, - "parent": { - "description": "The key of the parent issue, when the issue type is sub-task for Jira connectors.", - "type": "string" - }, - "priority": { - "description": "The priority of the issue for Jira and ServiceNow SecOps connectors.", - "type": "string" + "example": null + }, + "id": { + "description": "The identifier for the connector. To create a case without a connector, use `none`.", + "type": "string", + "example": "none" + }, + "name": { + "description": "The name of the connector. To create a case without a connector, use `none`.", + "type": "string", + "example": "none" + }, + "type": { + "$ref": "#/components/schemas/connector_types" + } + } + }, + "created_at": { + "type": "string", + "format": "date-time", + "example": "2022-06-01T17:07:17.767Z" + }, + "created_by": { + "type": "object", + "properties": { + "email": { + "type": "string", + "example": null + }, + "full_name": { + "type": "string", + "example": null + }, + "username": { + "type": "string", + "example": "elastic" + } + } + }, + "error": { + "type": "string", + "example": null + }, + "id": { + "type": "string", + "example": "4a97a440-e1cd-11ec-be9b-9b1838238ee6" + }, + "mappings": { + "type": "array", + "items": { + "type": "object", + "properties": { + "action_type": { + "type": "string", + "example": "overwrite" }, - "severity": { - "description": "The severity of the incident for ServiceNow ITSM connectors.", - "type": "string" + "source": { + "type": "string", + "example": "title" }, - "severityCode": { - "description": "The severity code of the incident for IBM Resilient connectors.", + "target": { + "type": "string", + "example": "summary" + } + } + } + }, + "owner": { + "$ref": "#/components/schemas/owners" + }, + "updated_at": { + "type": "string", + "format": "date-time", + "nullable": true, + "example": "2022-06-01T19:58:48.169Z" + }, + "updated_by": { + "type": "object", + "properties": { + "email": { + "type": "string", + "example": null + }, + "full_name": { + "type": "string", + "example": null + }, + "username": { + "type": "string", + "example": "elastic" + } + }, + "nullable": true + }, + "version": { + "type": "string", + "example": "WzIwNzMsMV0=" + } + } + } + } + } + } + } + }, + "servers": [ + { + "url": "https://localhost:5601" + } + ] + }, + "servers": [ + { + "url": "https://localhost:5601" + } + ] + }, + "/s/{spaceId}/api/cases/configure/{configurationId}": { + "patch": { + "description": "Updates external connection details, such as the closure type and default connector for cases. You must have all privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case configuration. Connectors are used to interface with external systems. You must create a connector before you can it in your cases. Refer to the add connectors API.\n", + "tags": [ + "cases", + "kibana" + ], + "parameters": [ + { + "$ref": "#/components/parameters/kbn_xsrf" + }, + { + "$ref": "#/components/parameters/configuration_id" + }, + { + "$ref": "#/components/parameters/space_id" + } + ], + "requestBody": { + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "closure_type": { + "$ref": "#/components/schemas/closure_types" + }, + "connector": { + "description": "An object that contains the connector configuration.", + "type": "object", + "properties": { + "fields": { + "description": "An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.", + "nullable": true, + "type": "object", + "properties": { + "caseId": { + "description": "The case identifier for Swimlane connectors.", + "type": "string" + }, + "category": { + "description": "The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.", + "type": "string" + }, + "destIp": { + "description": "A comma-separated list of destination IPs for ServiceNow SecOps connectors.", + "type": "string" + }, + "impact": { + "description": "The effect an incident had on business for ServiceNow ITSM connectors.", + "type": "string" + }, + "issueType": { + "description": "The type of issue for Jira connectors.", + "type": "string" + }, + "issueTypes": { + "description": "The type of incident for IBM Resilient connectors.", + "type": "array", + "items": { "type": "number" + } + }, + "malwareHash": { + "description": "A comma-separated list of malware hashes for ServiceNow SecOps connectors.", + "type": "string" + }, + "malwareUrl": { + "description": "A comma-separated list of malware URLs for ServiceNow SecOps connectors.", + "type": "string" + }, + "parent": { + "description": "The key of the parent issue, when the issue type is sub-task for Jira connectors.", + "type": "string" + }, + "priority": { + "description": "The priority of the issue for Jira and ServiceNow SecOps connectors.", + "type": "string" + }, + "severity": { + "description": "The severity of the incident for ServiceNow ITSM connectors.", + "type": "string" + }, + "severityCode": { + "description": "The severity code of the incident for IBM Resilient connectors.", + "type": "number" + }, + "sourceIp": { + "description": "A comma-separated list of source IPs for ServiceNow SecOps connectors.", + "type": "string" + }, + "subcategory": { + "description": "The subcategory of the incident for ServiceNow ITSM connectors.", + "type": "string" + }, + "urgency": { + "description": "The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.", + "type": "string" + } + }, + "example": null + }, + "id": { + "description": "The identifier for the connector. To create a case without a connector, use `none`.", + "type": "string", + "example": "none" + }, + "name": { + "description": "The name of the connector. To create a case without a connector, use `none`.", + "type": "string", + "example": "none" + }, + "type": { + "$ref": "#/components/schemas/connector_types" + } + }, + "required": [ + "fields", + "id", + "name", + "type" + ] + }, + "version": { + "description": "The version of the connector. To retrieve the version value, use the get configuration API.\n", + "type": "string", + "example": "WzIwMiwxXQ==" + } + }, + "required": [ + "version" + ] + } + } + } + }, + "responses": { + "200": { + "description": "Indicates a successful call.", + "content": { + "application/json; charset=utf-8": { + "schema": { + "type": "array", + "items": { + "type": "object", + "properties": { + "closure_type": { + "$ref": "#/components/schemas/closure_types" + }, + "connector": { + "type": "object", + "properties": { + "fields": { + "description": "An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.", + "nullable": true, + "type": "object", + "properties": { + "caseId": { + "description": "The case identifier for Swimlane connectors.", + "type": "string" + }, + "category": { + "description": "The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.", + "type": "string" + }, + "destIp": { + "description": "A comma-separated list of destination IPs for ServiceNow SecOps connectors.", + "type": "string" + }, + "impact": { + "description": "The effect an incident had on business for ServiceNow ITSM connectors.", + "type": "string" + }, + "issueType": { + "description": "The type of issue for Jira connectors.", + "type": "string" + }, + "issueTypes": { + "description": "The type of incident for IBM Resilient connectors.", + "type": "array", + "items": { + "type": "number" + } + }, + "malwareHash": { + "description": "A comma-separated list of malware hashes for ServiceNow SecOps connectors.", + "type": "string" + }, + "malwareUrl": { + "description": "A comma-separated list of malware URLs for ServiceNow SecOps connectors.", + "type": "string" + }, + "parent": { + "description": "The key of the parent issue, when the issue type is sub-task for Jira connectors.", + "type": "string" + }, + "priority": { + "description": "The priority of the issue for Jira and ServiceNow SecOps connectors.", + "type": "string" + }, + "severity": { + "description": "The severity of the incident for ServiceNow ITSM connectors.", + "type": "string" + }, + "severityCode": { + "description": "The severity code of the incident for IBM Resilient connectors.", + "type": "number" + }, + "sourceIp": { + "description": "A comma-separated list of source IPs for ServiceNow SecOps connectors.", + "type": "string" + }, + "subcategory": { + "description": "The subcategory of the incident for ServiceNow ITSM connectors.", + "type": "string" + }, + "urgency": { + "description": "The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.", + "type": "string" + } }, - "sourceIp": { - "description": "A comma-separated list of source IPs for ServiceNow SecOps connectors.", - "type": "string" - }, - "subcategory": { - "description": "The subcategory of the incident for ServiceNow ITSM connectors.", - "type": "string" - }, - "urgency": { - "description": "The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.", - "type": "string" - } + "example": null }, - "required": [ - "fields", - "id", - "name", - "type" - ] - }, - "id": { - "description": "The identifier for the connector. To create a case without a connector, use `none`.", - "type": "string" - }, - "name": { - "description": "The name of the connector. To create a case without a connector, use `none`.", - "type": "string" - }, - "type": { - "$ref": "#/components/schemas/connector_types" + "id": { + "description": "The identifier for the connector. To create a case without a connector, use `none`.", + "type": "string", + "example": "none" + }, + "name": { + "description": "The name of the connector. To create a case without a connector, use `none`.", + "type": "string", + "example": "none" + }, + "type": { + "$ref": "#/components/schemas/connector_types" + } } - } - }, - "created_at": { - "type": "string", - "format": "date-time", - "example": "2022-05-13T09:16:17.416Z" - }, - "created_by": { - "type": "object", - "properties": { - "email": { - "type": "string", - "example": "ahunley@imf.usa.gov" - }, - "full_name": { - "type": "string", - "example": "Alan Hunley" - }, - "username": { - "type": "string", - "example": "ahunley" + }, + "created_at": { + "type": "string", + "format": "date-time", + "example": "2022-06-01T17:07:17.767Z" + }, + "created_by": { + "type": "object", + "properties": { + "email": { + "type": "string", + "example": null + }, + "full_name": { + "type": "string", + "example": null + }, + "username": { + "type": "string", + "example": "elastic" + } } - } - }, - "description": { - "type": "string", - "example": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active. Repeat - operation bubblegum is now active" - }, - "duration": { - "type": "integer", - "description": "The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null.", - "example": 120 - }, - "external_service": { - "type": "object", - "properties": { - "connector_id": { - "type": "string" - }, - "connector_name": { - "type": "string" - }, - "external_id": { - "type": "string" - }, - "external_title": { - "type": "string" - }, - "external_url": { - "type": "string" - }, - "pushed_at": { - "type": "string", - "format": "date-time" - }, - "pushed_by": { + }, + "error": { + "type": "string", + "example": null + }, + "id": { + "type": "string", + "example": "4a97a440-e1cd-11ec-be9b-9b1838238ee6" + }, + "mappings": { + "type": "array", + "items": { "type": "object", "properties": { - "email": { - "type": "string" + "action_type": { + "type": "string", + "example": "overwrite" }, - "full_name": { - "type": "string" + "source": { + "type": "string", + "example": "title" }, - "username": { - "type": "string" + "target": { + "type": "string", + "example": "summary" } - }, - "nullable": true, - "example": null - } - } - }, - "id": { - "type": "string", - "example": "66b9aa00-94fa-11ea-9f74-e7e108796192" - }, - "owner": { - "$ref": "#/components/schemas/owners" - }, - "settings": { - "type": "object", - "properties": { - "syncAlerts": { - "type": "boolean", - "example": true + } } - } - }, - "severity": { - "$ref": "#/components/schemas/severity" - }, - "status": { - "$ref": "#/components/schemas/status" - }, - "tags": { - "type": "array", - "items": { - "type": "string" }, - "example": [ - "phishing", - "social engineering", - "bubblegum" - ] - }, - "title": { - "type": "string", - "example": "This case will self-destruct in 5 seconds" - }, - "totalAlerts": { - "type": "integer", - "example": 0 - }, - "totalComment": { - "type": "integer", - "example": 0 - }, - "updated_at": { - "type": "string", - "format": "date-time", - "nullable": true, - "example": null - }, - "updated_by": { - "type": "object", - "properties": { - "email": { - "type": "string" - }, - "full_name": { - "type": "string" + "owner": { + "$ref": "#/components/schemas/owners" + }, + "updated_at": { + "type": "string", + "format": "date-time", + "nullable": true, + "example": "2022-06-01T19:58:48.169Z" + }, + "updated_by": { + "type": "object", + "properties": { + "email": { + "type": "string", + "example": null + }, + "full_name": { + "type": "string", + "example": null + }, + "username": { + "type": "string", + "example": "elastic" + } }, - "username": { - "type": "string" - } + "nullable": true }, - "nullable": true, - "example": null - }, - "version": { - "type": "string", - "example": "WzUzMiwxXQ==" + "version": { + "type": "string", + "example": "WzIwNzMsMV0=" + } } } - }, - "examples": { - "updateCaseResponse": { - "$ref": "#/components/examples/update_case_response" - } } } } @@ -1950,6 +4855,59 @@ "name": "kbn-xsrf", "required": true }, + "owner": { + "in": "query", + "name": "owner", + "description": "A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.\n", + "schema": { + "oneOf": [ + { + "$ref": "#/components/schemas/owners" + }, + { + "type": "array", + "items": { + "$ref": "#/components/schemas/owners" + } + } + ] + }, + "example": "cases" + }, + "severity": { + "in": "query", + "name": "severity", + "description": "The severity of the case.", + "schema": { + "type": "string", + "enum": [ + "critical", + "high", + "low", + "medium" + ] + } + }, + "alert_id": { + "in": "path", + "name": "alertId", + "description": "An identifier for the alert.", + "required": true, + "schema": { + "type": "string", + "example": "09f0c261e39e36351d75995b78bb83673774d1bc2cca9df2d15f0e5c0a99a540" + } + }, + "configuration_id": { + "in": "path", + "name": "configurationId", + "description": "An identifier for the configuration.", + "required": true, + "schema": { + "type": "string", + "example": "3297a0f0-b5ec-11ec-b141-0fdb20a7f9a9" + } + }, "space_id": { "in": "path", "name": "spaceId", @@ -1972,18 +4930,20 @@ ".servicenow", ".servicenow-sir", ".swimlane" - ] + ], + "example": ".none" }, "owners": { "type": "string", - "description": "Owner apps", + "description": "The application that owns the cases: Stack Management, Observability, or Elastic Security.\n", "enum": [ "cases", "observability", "securitySolution" - ] + ], + "example": "cases" }, - "severity": { + "severity_property": { "type": "string", "description": "The severity of the case.", "enum": [ @@ -2002,6 +4962,15 @@ "in-progress", "open" ] + }, + "closure_types": { + "type": "string", + "description": "Indicates whether a case is automatically closed when it is pushed to external systems (`close-by-pushing`) or not automatically closed (`close-by-user`).", + "enum": [ + "close-by-pushing", + "close-by-user" + ], + "example": "close-by-user" } }, "examples": { @@ -2167,6 +5136,59 @@ } } ] + }, + "find_case_response": { + "summary": "Retrieve the first five cases with the `phishing` tag, in ascending order by last update time.", + "value": { + "page": 1, + "per_page": 5, + "total": 1, + "cases": [ + { + "id": "abed3a70-71bd-11ea-a0b2-c51ea50a58e2", + "version": "WzExMCwxXQ==", + "comments": [], + "totalComment": 1, + "totalAlerts": 0, + "title": "Case title", + "tags": [ + "phishing" + ], + "description": "Case description", + "settings": { + "syncAlerts": true + }, + "owner": "securitySolution", + "duration": null, + "severity": "low", + "closed_at": null, + "closed_by": null, + "created_at": "2022-05-12T00:16:36.371Z", + "created_by": { + "email": "jdoe@email.com", + "full_name": "Jane Doe", + "username": "jdoe" + }, + "status": "open", + "updated_at": "2022-05-12T00:27:58.162Z", + "updated_by": { + "email": "jsmith@email.com", + "full_name": "Joe Smith", + "username": "jsmith" + }, + "connector": { + "id": "none", + "name": "none", + "type": ".none", + "fields": null + }, + "external_service": null + } + ], + "count_open_cases": 1, + "count_in_progress_cases": 0, + "count_closed_cases": 0 + } } } }, diff --git a/x-pack/plugins/cases/docs/openapi/bundled.yaml b/x-pack/plugins/cases/docs/openapi/bundled.yaml index 6dcde228ebd7c..16a584a40877b 100644 --- a/x-pack/plugins/cases/docs/openapi/bundled.yaml +++ b/x-pack/plugins/cases/docs/openapi/bundled.yaml @@ -118,23 +118,26 @@ paths: The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors. type: string - required: - - fields - - id - - name - - type + example: null id: description: >- The identifier for the connector. To create a case without a connector, use `none`. type: string + example: none name: description: >- The name of the connector. To create a case without a connector, use `none`. type: string + example: none type: $ref: '#/components/schemas/connector_types' + required: + - fields + - id + - name + - type description: description: The description for the case. type: string @@ -148,7 +151,7 @@ paths: description: Turns alert syncing on or off. type: boolean severity: - $ref: '#/components/schemas/severity' + $ref: '#/components/schemas/severity_property' tags: description: >- The words and phrases that help categorize cases. It can be @@ -280,21 +283,19 @@ paths: The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors. type: string - required: - - fields - - id - - name - - type + example: null id: description: >- The identifier for the connector. To create a case without a connector, use `none`. type: string + example: none name: description: >- The name of the connector. To create a case without a connector, use `none`. type: string + example: none type: $ref: '#/components/schemas/connector_types' created_at: @@ -306,13 +307,13 @@ paths: properties: email: type: string - example: ahunley@imf.usa.gov + example: null full_name: type: string - example: Alan Hunley + example: null username: type: string - example: ahunley + example: elastic description: type: string example: >- @@ -366,7 +367,7 @@ paths: type: boolean example: true severity: - $ref: '#/components/schemas/severity' + $ref: '#/components/schemas/severity_property' status: $ref: '#/components/schemas/status' tags: @@ -543,23 +544,26 @@ paths: The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors. type: string - required: - - fields - - id - - name - - type + example: null id: description: >- The identifier for the connector. To create a case without a connector, use `none`. type: string + example: none name: description: >- The name of the connector. To create a case without a connector, use `none`. type: string + example: none type: $ref: '#/components/schemas/connector_types' + required: + - fields + - id + - name + - type description: description: The description for the case. type: string @@ -574,7 +578,7 @@ paths: description: Turns alert syncing on or off. type: boolean severity: - $ref: '#/components/schemas/severity' + $ref: '#/components/schemas/severity_property' status: $ref: '#/components/schemas/status' tags: @@ -705,21 +709,19 @@ paths: The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors. type: string - required: - - fields - - id - - name - - type + example: null id: description: >- The identifier for the connector. To create a case without a connector, use `none`. type: string + example: none name: description: >- The name of the connector. To create a case without a connector, use `none`. type: string + example: none type: $ref: '#/components/schemas/connector_types' created_at: @@ -731,13 +733,13 @@ paths: properties: email: type: string - example: ahunley@imf.usa.gov + example: null full_name: type: string - example: Alan Hunley + example: null username: type: string - example: ahunley + example: elastic description: type: string example: >- @@ -791,7 +793,7 @@ paths: type: boolean example: true severity: - $ref: '#/components/schemas/severity' + $ref: '#/components/schemas/severity_property' status: $ref: '#/components/schemas/status' tags: @@ -837,25 +839,645 @@ paths: - url: https://localhost:5601 servers: - url: https://localhost:5601 - /s/{spaceId}/api/cases: + /api/cases/_find: + get: + description: > + Retrieves a paginated subset of cases. You must have read privileges for + the **Cases** feature in the **Management**, **Observability**, or + **Security** section of the Kibana feature privileges, depending on the + owner of the cases you're seeking. + tags: + - cases + - kibana + parameters: + - name: defaultSearchOperator + in: query + description: The default operator to use for the simple_query_string. + schema: + type: string + default: OR + example: OR + - name: fields + in: query + description: The fields in the entity to return in the response. + schema: + type: array + items: + type: string + - name: from + in: query + description: > + [preview] Returns only cases that were created after a specific + date. The date must be specified as a KQL data range or date match + expression. This functionality is in technical preview and may be + changed or removed in a future release. Elastic will apply best + effort to fix any issues, but features in technical preview are not + subject to the support SLA of official GA features. + schema: + type: string + example: now-1d + x-technical-preview: true + - $ref: '#/components/parameters/owner' + - name: page + in: query + description: The page number to return. + schema: + type: integer + default: 1 + example: 1 + - name: perPage + in: query + description: The number of rules to return per page. + schema: + type: integer + default: 20 + example: 20 + - name: reporters + in: query + description: Filters the returned cases by the user name of the reporter. + schema: + oneOf: + - type: string + - type: array + items: + type: string + example: elastic + - name: search + in: query + description: >- + An Elasticsearch simple_query_string query that filters the objects + in the response. + schema: + type: string + - name: searchFields + in: query + description: The fields to perform the simple_query_string parsed query against. + schema: + oneOf: + - type: string + - type: array + items: + type: string + - $ref: '#/components/parameters/severity' + - name: sortField + in: query + description: Determines which field is used to sort the results. + schema: + type: string + enum: + - createdAt + - updatedAt + default: createdAt + example: updatedAt + - name: sortOrder + in: query + description: Determines the sort order. + schema: + type: string + enum: + - asc + - desc + default: desc + example: asc + - in: query + name: status + description: Filters the returned cases by state. + schema: + type: string + enum: + - closed + - in-progress + - open + example: open + - name: tags + in: query + description: Filters the returned cases by tags. + schema: + oneOf: + - type: string + - type: array + items: + type: string + example: phishing + - name: to + in: query + description: >- + Returns only cases that were created before a specific date. The + date must be specified as a KQL data range or date match expression. + schema: + type: string + example: now%2B1d + x-technical-preview: true + responses: + '200': + description: Indicates a successful call. + content: + application/json; charset=utf-8: + schema: + type: object + properties: + cases: + type: array + items: + type: object + properties: + closed_at: + type: string + format: date-time + nullable: true + example: null + closed_by: + type: object + properties: + email: + type: string + full_name: + type: string + username: + type: string + nullable: true + example: null + comments: + type: array + items: + type: string + example: [] + connector: + type: object + properties: + fields: + description: >- + An object containing the connector fields. To + create a case without a connector, specify null. + If you want to omit any individual field, + specify null as its value. + nullable: true + type: object + properties: + caseId: + description: The case identifier for Swimlane connectors. + type: string + category: + description: >- + The category of the incident for ServiceNow + ITSM and ServiceNow SecOps connectors. + type: string + destIp: + description: >- + A comma-separated list of destination IPs + for ServiceNow SecOps connectors. + type: string + impact: + description: >- + The effect an incident had on business for + ServiceNow ITSM connectors. + type: string + issueType: + description: The type of issue for Jira connectors. + type: string + issueTypes: + description: >- + The type of incident for IBM Resilient + connectors. + type: array + items: + type: number + malwareHash: + description: >- + A comma-separated list of malware hashes for + ServiceNow SecOps connectors. + type: string + malwareUrl: + description: >- + A comma-separated list of malware URLs for + ServiceNow SecOps connectors. + type: string + parent: + description: >- + The key of the parent issue, when the issue + type is sub-task for Jira connectors. + type: string + priority: + description: >- + The priority of the issue for Jira and + ServiceNow SecOps connectors. + type: string + severity: + description: >- + The severity of the incident for ServiceNow + ITSM connectors. + type: string + severityCode: + description: >- + The severity code of the incident for IBM + Resilient connectors. + type: number + sourceIp: + description: >- + A comma-separated list of source IPs for + ServiceNow SecOps connectors. + type: string + subcategory: + description: >- + The subcategory of the incident for + ServiceNow ITSM connectors. + type: string + urgency: + description: >- + The extent to which the incident resolution + can be delayed for ServiceNow ITSM + connectors. + type: string + example: null + id: + description: >- + The identifier for the connector. To create a + case without a connector, use `none`. + type: string + example: none + name: + description: >- + The name of the connector. To create a case + without a connector, use `none`. + type: string + example: none + type: + $ref: '#/components/schemas/connector_types' + created_at: + type: string + format: date-time + example: '2022-05-13T09:16:17.416Z' + created_by: + type: object + properties: + email: + type: string + example: null + full_name: + type: string + example: null + username: + type: string + example: elastic + description: + type: string + example: >- + James Bond clicked on a highly suspicious email + banner advertising cheap holidays for underpaid + civil servants. Operation bubblegum is active. + Repeat - operation bubblegum is now active + duration: + type: integer + description: >- + The elapsed time from the creation of the case to + its closure (in seconds). If the case has not been + closed, the duration is set to null. + example: 120 + external_service: + type: object + properties: + connector_id: + type: string + connector_name: + type: string + external_id: + type: string + external_title: + type: string + external_url: + type: string + pushed_at: + type: string + format: date-time + pushed_by: + type: object + properties: + email: + type: string + full_name: + type: string + username: + type: string + nullable: true + example: null + id: + type: string + example: 66b9aa00-94fa-11ea-9f74-e7e108796192 + owner: + $ref: '#/components/schemas/owners' + settings: + type: object + properties: + syncAlerts: + type: boolean + example: true + severity: + $ref: '#/components/schemas/severity_property' + status: + $ref: '#/components/schemas/status' + tags: + type: array + items: + type: string + example: + - phishing + - social engineering + - bubblegum + title: + type: string + example: This case will self-destruct in 5 seconds + totalAlerts: + type: integer + example: 0 + totalComment: + type: integer + example: 0 + updated_at: + type: string + format: date-time + nullable: true + example: null + updated_by: + type: object + properties: + email: + type: string + full_name: + type: string + username: + type: string + nullable: true + example: null + version: + type: string + example: WzUzMiwxXQ== + count_closed_cases: + type: integer + count_in_progress_cases: + type: integer + count_open_cases: + type: integer + page: + type: integer + per_page: + type: integer + total: + type: integer + examples: + findCaseResponse: + $ref: '#/components/examples/find_case_response' + servers: + - url: https://localhost:5601 + servers: + - url: https://localhost:5601 + /api/cases/alerts/{alertId}: + get: + description: > + Returns the cases associated with a specific alert. You must have read + privileges for the **Cases** feature in the **Management**, + **Observability**, or **Security** section of the Kibana feature + privileges, depending on the owner of the cases you're seeking. + x-technical-preview: true + tags: + - cases + - kibana + parameters: + - $ref: '#/components/parameters/alert_id' + - $ref: '#/components/parameters/owner' + responses: + '200': + description: Indicates a successful call. + content: + application/json; charset=utf-8: + schema: + type: array + items: + type: object + properties: + id: + type: string + description: The case identifier. + title: + type: string + description: The case title. + example: + - id: 06116b80-e1c3-11ec-be9b-9b1838238ee6 + title: security_case + servers: + - url: https://localhost:5601 + servers: + - url: https://localhost:5601 + /api/cases/configure: + get: + description: > + Retrieves external connection details, such as the closure type and + default connector for cases. You must have read privileges for the + **Cases** feature in the **Management**, **Observability**, or + **Security** section of the Kibana feature privileges, depending on the + owner of the case configuration. + tags: + - cases + - kibana + parameters: + - $ref: '#/components/parameters/owner' + responses: + '200': + description: Indicates a successful call. + content: + application/json; charset=utf-8: + schema: + type: array + items: + type: object + properties: + closure_type: + $ref: '#/components/schemas/closure_types' + connector: + type: object + properties: + fields: + description: >- + An object containing the connector fields. To create + a case without a connector, specify null. If you + want to omit any individual field, specify null as + its value. + nullable: true + type: object + properties: + caseId: + description: The case identifier for Swimlane connectors. + type: string + category: + description: >- + The category of the incident for ServiceNow ITSM + and ServiceNow SecOps connectors. + type: string + destIp: + description: >- + A comma-separated list of destination IPs for + ServiceNow SecOps connectors. + type: string + impact: + description: >- + The effect an incident had on business for + ServiceNow ITSM connectors. + type: string + issueType: + description: The type of issue for Jira connectors. + type: string + issueTypes: + description: >- + The type of incident for IBM Resilient + connectors. + type: array + items: + type: number + malwareHash: + description: >- + A comma-separated list of malware hashes for + ServiceNow SecOps connectors. + type: string + malwareUrl: + description: >- + A comma-separated list of malware URLs for + ServiceNow SecOps connectors. + type: string + parent: + description: >- + The key of the parent issue, when the issue type + is sub-task for Jira connectors. + type: string + priority: + description: >- + The priority of the issue for Jira and + ServiceNow SecOps connectors. + type: string + severity: + description: >- + The severity of the incident for ServiceNow ITSM + connectors. + type: string + severityCode: + description: >- + The severity code of the incident for IBM + Resilient connectors. + type: number + sourceIp: + description: >- + A comma-separated list of source IPs for + ServiceNow SecOps connectors. + type: string + subcategory: + description: >- + The subcategory of the incident for ServiceNow + ITSM connectors. + type: string + urgency: + description: >- + The extent to which the incident resolution can + be delayed for ServiceNow ITSM connectors. + type: string + example: null + id: + description: >- + The identifier for the connector. To create a case + without a connector, use `none`. + type: string + example: none + name: + description: >- + The name of the connector. To create a case without + a connector, use `none`. + type: string + example: none + type: + $ref: '#/components/schemas/connector_types' + created_at: + type: string + format: date-time + example: '2022-06-01T17:07:17.767Z' + created_by: + type: object + properties: + email: + type: string + example: null + full_name: + type: string + example: null + username: + type: string + example: elastic + error: + type: string + example: null + id: + type: string + example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 + mappings: + type: array + items: + type: object + properties: + action_type: + type: string + example: overwrite + source: + type: string + example: title + target: + type: string + example: summary + owner: + $ref: '#/components/schemas/owners' + updated_at: + type: string + format: date-time + nullable: true + example: '2022-06-01T19:58:48.169Z' + updated_by: + type: object + properties: + email: + type: string + example: null + full_name: + type: string + example: null + username: + type: string + example: elastic + nullable: true + version: + type: string + example: WzIwNzMsMV0= + servers: + - url: https://localhost:5601 post: description: > - Creates a case. You must have all privileges for the **Cases** feature - in the **Management**, **Observability**, or **Security** section of the - Kibana feature privileges, depending on the owner of the case you're - creating. + Sets external connection details, such as the closure type and default + connector for cases. You must have all privileges for the **Cases** + feature in the **Management**, **Observability**, or **Security** + section of the Kibana feature privileges, depending on the owner of the + case configuration. Connectors are used to interface with external + systems. You must create a connector before you can use it in your + cases. Refer to the add connectors API. If you set a default connector, + it is automatically selected when you create cases in Kibana. If you use + the create case API, however, you must still specify all of the + connector details. tags: - cases - kibana parameters: - $ref: '#/components/parameters/kbn_xsrf' - - $ref: '#/components/parameters/space_id' requestBody: content: application/json: schema: type: object properties: + closure_type: + $ref: '#/components/schemas/closure_types' connector: description: An object that contains the connector configuration. type: object @@ -939,26 +1561,26 @@ paths: The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors. type: string - required: - - fields - - id - - name - - type + example: null id: description: >- The identifier for the connector. To create a case without a connector, use `none`. type: string + example: none name: description: >- The name of the connector. To create a case without a connector, use `none`. type: string + example: none type: $ref: '#/components/schemas/connector_types' - description: - description: The description for the case. - type: string + required: + - fields + - id + - name + - type owner: $ref: '#/components/schemas/owners' settings: @@ -968,346 +1590,970 @@ paths: syncAlerts: description: Turns alert syncing on or off. type: boolean - severity: - $ref: '#/components/schemas/severity' - tags: - description: >- - The words and phrases that help categorize cases. It can be - an empty array. - type: array - items: - type: string - title: - description: A title for the case. - type: string + example: true + required: + - syncAlerts required: + - closure_type - connector - - description - owner - - settings - - tags - - title - examples: - createCaseRequest: - $ref: '#/components/examples/create_case_request' responses: '200': description: Indicates a successful call. content: application/json; charset=utf-8: schema: - type: object - properties: - closed_at: - type: string - format: date-time - nullable: true - example: null - closed_by: - type: object - properties: - email: - type: string - full_name: - type: string - username: - type: string - nullable: true - example: null - comments: - type: array - items: + type: array + items: + type: object + properties: + closure_type: + $ref: '#/components/schemas/closure_types' + connector: + type: object + properties: + fields: + description: >- + An object containing the connector fields. To create + a case without a connector, specify null. If you + want to omit any individual field, specify null as + its value. + nullable: true + type: object + properties: + caseId: + description: The case identifier for Swimlane connectors. + type: string + category: + description: >- + The category of the incident for ServiceNow ITSM + and ServiceNow SecOps connectors. + type: string + destIp: + description: >- + A comma-separated list of destination IPs for + ServiceNow SecOps connectors. + type: string + impact: + description: >- + The effect an incident had on business for + ServiceNow ITSM connectors. + type: string + issueType: + description: The type of issue for Jira connectors. + type: string + issueTypes: + description: >- + The type of incident for IBM Resilient + connectors. + type: array + items: + type: number + malwareHash: + description: >- + A comma-separated list of malware hashes for + ServiceNow SecOps connectors. + type: string + malwareUrl: + description: >- + A comma-separated list of malware URLs for + ServiceNow SecOps connectors. + type: string + parent: + description: >- + The key of the parent issue, when the issue type + is sub-task for Jira connectors. + type: string + priority: + description: >- + The priority of the issue for Jira and + ServiceNow SecOps connectors. + type: string + severity: + description: >- + The severity of the incident for ServiceNow ITSM + connectors. + type: string + severityCode: + description: >- + The severity code of the incident for IBM + Resilient connectors. + type: number + sourceIp: + description: >- + A comma-separated list of source IPs for + ServiceNow SecOps connectors. + type: string + subcategory: + description: >- + The subcategory of the incident for ServiceNow + ITSM connectors. + type: string + urgency: + description: >- + The extent to which the incident resolution can + be delayed for ServiceNow ITSM connectors. + type: string + example: null + id: + description: >- + The identifier for the connector. To create a case + without a connector, use `none`. + type: string + example: none + name: + description: >- + The name of the connector. To create a case without + a connector, use `none`. + type: string + example: none + type: + $ref: '#/components/schemas/connector_types' + created_at: type: string - example: [] - connector: - type: object - properties: - fields: - description: >- - An object containing the connector fields. To create a - case without a connector, specify null. If you want to - omit any individual field, specify null as its value. - nullable: true + format: date-time + example: '2022-06-01T17:07:17.767Z' + created_by: + type: object + properties: + email: + type: string + example: null + full_name: + type: string + example: null + username: + type: string + example: elastic + error: + type: string + example: null + id: + type: string + example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 + mappings: + type: array + items: type: object properties: - caseId: - description: The case identifier for Swimlane connectors. + action_type: type: string - category: - description: >- - The category of the incident for ServiceNow ITSM - and ServiceNow SecOps connectors. + example: overwrite + source: type: string - destIp: - description: >- - A comma-separated list of destination IPs for - ServiceNow SecOps connectors. - type: string - impact: - description: >- - The effect an incident had on business for - ServiceNow ITSM connectors. - type: string - issueType: - description: The type of issue for Jira connectors. - type: string - issueTypes: - description: The type of incident for IBM Resilient connectors. - type: array - items: - type: number - malwareHash: - description: >- - A comma-separated list of malware hashes for - ServiceNow SecOps connectors. - type: string - malwareUrl: - description: >- - A comma-separated list of malware URLs for - ServiceNow SecOps connectors. - type: string - parent: - description: >- - The key of the parent issue, when the issue type - is sub-task for Jira connectors. - type: string - priority: - description: >- - The priority of the issue for Jira and ServiceNow - SecOps connectors. - type: string - severity: - description: >- - The severity of the incident for ServiceNow ITSM - connectors. - type: string - severityCode: - description: >- - The severity code of the incident for IBM - Resilient connectors. - type: number - sourceIp: - description: >- - A comma-separated list of source IPs for - ServiceNow SecOps connectors. - type: string - subcategory: - description: >- - The subcategory of the incident for ServiceNow - ITSM connectors. - type: string - urgency: - description: >- - The extent to which the incident resolution can be - delayed for ServiceNow ITSM connectors. - type: string - required: - - fields - - id - - name - - type - id: - description: >- - The identifier for the connector. To create a case - without a connector, use `none`. - type: string - name: - description: >- - The name of the connector. To create a case without a - connector, use `none`. - type: string - type: - $ref: '#/components/schemas/connector_types' - created_at: - type: string - format: date-time - example: '2022-05-13T09:16:17.416Z' - created_by: - type: object - properties: - email: - type: string - example: ahunley@imf.usa.gov - full_name: - type: string - example: Alan Hunley - username: - type: string - example: ahunley - description: - type: string - example: >- - James Bond clicked on a highly suspicious email banner - advertising cheap holidays for underpaid civil servants. - Operation bubblegum is active. Repeat - operation - bubblegum is now active - duration: - type: integer - description: >- - The elapsed time from the creation of the case to its - closure (in seconds). If the case has not been closed, the - duration is set to null. - example: 120 - external_service: - type: object - properties: - connector_id: - type: string - connector_name: - type: string - external_id: - type: string - external_title: - type: string - external_url: - type: string - pushed_at: - type: string - format: date-time - pushed_by: - type: object - properties: - email: - type: string - full_name: + example: title + target: type: string - username: - type: string - nullable: true - example: null - id: - type: string - example: 66b9aa00-94fa-11ea-9f74-e7e108796192 - owner: - $ref: '#/components/schemas/owners' - settings: - type: object - properties: - syncAlerts: - type: boolean - example: true - severity: - $ref: '#/components/schemas/severity' - status: - $ref: '#/components/schemas/status' - tags: - type: array - items: + example: summary + owner: + $ref: '#/components/schemas/owners' + updated_at: type: string - example: - - phishing - - social engineering - - bubblegum - title: - type: string - example: This case will self-destruct in 5 seconds - totalAlerts: - type: integer - example: 0 - totalComment: - type: integer - example: 0 - updated_at: - type: string - format: date-time - nullable: true - example: null - updated_by: - type: object - properties: - email: - type: string - full_name: - type: string - username: - type: string - nullable: true - example: null - version: - type: string - example: WzUzMiwxXQ== - examples: - createCaseResponse: - $ref: '#/components/examples/create_case_response' - servers: - - url: https://localhost:5601 - delete: - description: > - Deletes one or more cases. You must have all privileges for the - **Cases** feature in the **Management**, **Observability**, or - **Security** section of the Kibana feature privileges, depending on the - owner of the cases you're deleting. - tags: - - cases - - kibana - parameters: - - $ref: '#/components/parameters/kbn_xsrf' - - $ref: '#/components/parameters/space_id' - - name: ids - description: >- - The cases that you want to removed. All non-ASCII characters must be - URL encoded. - in: query - required: true - schema: - type: string - example: d4e7abb0-b462-11ec-9a8d-698504725a43 - responses: - '204': - description: Indicates a successful call. + format: date-time + nullable: true + example: '2022-06-01T19:58:48.169Z' + updated_by: + type: object + properties: + email: + type: string + example: null + full_name: + type: string + example: null + username: + type: string + example: elastic + nullable: true + version: + type: string + example: WzIwNzMsMV0= servers: - url: https://localhost:5601 + servers: + - url: https://localhost:5601 + /api/cases/configure/{configurationId}: patch: description: > - Updates one or more cases. You must have all privileges for the + Updates external connection details, such as the closure type and + default connector for cases. You must have all privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the - owner of the case you're updating. + owner of the case configuration. Connectors are used to interface with + external systems. You must create a connector before you can it in your + cases. Refer to the add connectors API. tags: - cases - kibana parameters: - $ref: '#/components/parameters/kbn_xsrf' - - $ref: '#/components/parameters/space_id' + - $ref: '#/components/parameters/configuration_id' requestBody: content: application/json: schema: type: object properties: - cases: - type: array - items: - type: object - properties: - connector: - description: An object that contains the connector configuration. - type: object - properties: - fields: - description: >- - An object containing the connector fields. To - create a case without a connector, specify null. - If you want to omit any individual field, specify - null as its value. - nullable: true - type: object - properties: - caseId: - description: The case identifier for Swimlane connectors. - type: string - category: - description: >- - The category of the incident for ServiceNow - ITSM and ServiceNow SecOps connectors. - type: string - destIp: - description: >- - A comma-separated list of destination IPs for - ServiceNow SecOps connectors. - type: string - impact: - description: >- + closure_type: + $ref: '#/components/schemas/closure_types' + connector: + description: An object that contains the connector configuration. + type: object + properties: + fields: + description: >- + An object containing the connector fields. To create a + case without a connector, specify null. If you want to + omit any individual field, specify null as its value. + nullable: true + type: object + properties: + caseId: + description: The case identifier for Swimlane connectors. + type: string + category: + description: >- + The category of the incident for ServiceNow ITSM and + ServiceNow SecOps connectors. + type: string + destIp: + description: >- + A comma-separated list of destination IPs for + ServiceNow SecOps connectors. + type: string + impact: + description: >- + The effect an incident had on business for + ServiceNow ITSM connectors. + type: string + issueType: + description: The type of issue for Jira connectors. + type: string + issueTypes: + description: The type of incident for IBM Resilient connectors. + type: array + items: + type: number + malwareHash: + description: >- + A comma-separated list of malware hashes for + ServiceNow SecOps connectors. + type: string + malwareUrl: + description: >- + A comma-separated list of malware URLs for + ServiceNow SecOps connectors. + type: string + parent: + description: >- + The key of the parent issue, when the issue type is + sub-task for Jira connectors. + type: string + priority: + description: >- + The priority of the issue for Jira and ServiceNow + SecOps connectors. + type: string + severity: + description: >- + The severity of the incident for ServiceNow ITSM + connectors. + type: string + severityCode: + description: >- + The severity code of the incident for IBM Resilient + connectors. + type: number + sourceIp: + description: >- + A comma-separated list of source IPs for ServiceNow + SecOps connectors. + type: string + subcategory: + description: >- + The subcategory of the incident for ServiceNow ITSM + connectors. + type: string + urgency: + description: >- + The extent to which the incident resolution can be + delayed for ServiceNow ITSM connectors. + type: string + example: null + id: + description: >- + The identifier for the connector. To create a case + without a connector, use `none`. + type: string + example: none + name: + description: >- + The name of the connector. To create a case without a + connector, use `none`. + type: string + example: none + type: + $ref: '#/components/schemas/connector_types' + required: + - fields + - id + - name + - type + version: + description: > + The version of the connector. To retrieve the version value, + use the get configuration API. + type: string + example: WzIwMiwxXQ== + required: + - version + responses: + '200': + description: Indicates a successful call. + content: + application/json; charset=utf-8: + schema: + type: array + items: + type: object + properties: + closure_type: + $ref: '#/components/schemas/closure_types' + connector: + type: object + properties: + fields: + description: >- + An object containing the connector fields. To create + a case without a connector, specify null. If you + want to omit any individual field, specify null as + its value. + nullable: true + type: object + properties: + caseId: + description: The case identifier for Swimlane connectors. + type: string + category: + description: >- + The category of the incident for ServiceNow ITSM + and ServiceNow SecOps connectors. + type: string + destIp: + description: >- + A comma-separated list of destination IPs for + ServiceNow SecOps connectors. + type: string + impact: + description: >- + The effect an incident had on business for + ServiceNow ITSM connectors. + type: string + issueType: + description: The type of issue for Jira connectors. + type: string + issueTypes: + description: >- + The type of incident for IBM Resilient + connectors. + type: array + items: + type: number + malwareHash: + description: >- + A comma-separated list of malware hashes for + ServiceNow SecOps connectors. + type: string + malwareUrl: + description: >- + A comma-separated list of malware URLs for + ServiceNow SecOps connectors. + type: string + parent: + description: >- + The key of the parent issue, when the issue type + is sub-task for Jira connectors. + type: string + priority: + description: >- + The priority of the issue for Jira and + ServiceNow SecOps connectors. + type: string + severity: + description: >- + The severity of the incident for ServiceNow ITSM + connectors. + type: string + severityCode: + description: >- + The severity code of the incident for IBM + Resilient connectors. + type: number + sourceIp: + description: >- + A comma-separated list of source IPs for + ServiceNow SecOps connectors. + type: string + subcategory: + description: >- + The subcategory of the incident for ServiceNow + ITSM connectors. + type: string + urgency: + description: >- + The extent to which the incident resolution can + be delayed for ServiceNow ITSM connectors. + type: string + example: null + id: + description: >- + The identifier for the connector. To create a case + without a connector, use `none`. + type: string + example: none + name: + description: >- + The name of the connector. To create a case without + a connector, use `none`. + type: string + example: none + type: + $ref: '#/components/schemas/connector_types' + created_at: + type: string + format: date-time + example: '2022-06-01T17:07:17.767Z' + created_by: + type: object + properties: + email: + type: string + example: null + full_name: + type: string + example: null + username: + type: string + example: elastic + error: + type: string + example: null + id: + type: string + example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 + mappings: + type: array + items: + type: object + properties: + action_type: + type: string + example: overwrite + source: + type: string + example: title + target: + type: string + example: summary + owner: + $ref: '#/components/schemas/owners' + updated_at: + type: string + format: date-time + nullable: true + example: '2022-06-01T19:58:48.169Z' + updated_by: + type: object + properties: + email: + type: string + example: null + full_name: + type: string + example: null + username: + type: string + example: elastic + nullable: true + version: + type: string + example: WzIwNzMsMV0= + servers: + - url: https://localhost:5601 + servers: + - url: https://localhost:5601 + /s/{spaceId}/api/cases: + post: + description: > + Creates a case. You must have all privileges for the **Cases** feature + in the **Management**, **Observability**, or **Security** section of the + Kibana feature privileges, depending on the owner of the case you're + creating. + tags: + - cases + - kibana + parameters: + - $ref: '#/components/parameters/kbn_xsrf' + - $ref: '#/components/parameters/space_id' + requestBody: + content: + application/json: + schema: + type: object + properties: + connector: + description: An object that contains the connector configuration. + type: object + properties: + fields: + description: >- + An object containing the connector fields. To create a + case without a connector, specify null. If you want to + omit any individual field, specify null as its value. + nullable: true + type: object + properties: + caseId: + description: The case identifier for Swimlane connectors. + type: string + category: + description: >- + The category of the incident for ServiceNow ITSM and + ServiceNow SecOps connectors. + type: string + destIp: + description: >- + A comma-separated list of destination IPs for + ServiceNow SecOps connectors. + type: string + impact: + description: >- + The effect an incident had on business for + ServiceNow ITSM connectors. + type: string + issueType: + description: The type of issue for Jira connectors. + type: string + issueTypes: + description: The type of incident for IBM Resilient connectors. + type: array + items: + type: number + malwareHash: + description: >- + A comma-separated list of malware hashes for + ServiceNow SecOps connectors. + type: string + malwareUrl: + description: >- + A comma-separated list of malware URLs for + ServiceNow SecOps connectors. + type: string + parent: + description: >- + The key of the parent issue, when the issue type is + sub-task for Jira connectors. + type: string + priority: + description: >- + The priority of the issue for Jira and ServiceNow + SecOps connectors. + type: string + severity: + description: >- + The severity of the incident for ServiceNow ITSM + connectors. + type: string + severityCode: + description: >- + The severity code of the incident for IBM Resilient + connectors. + type: number + sourceIp: + description: >- + A comma-separated list of source IPs for ServiceNow + SecOps connectors. + type: string + subcategory: + description: >- + The subcategory of the incident for ServiceNow ITSM + connectors. + type: string + urgency: + description: >- + The extent to which the incident resolution can be + delayed for ServiceNow ITSM connectors. + type: string + example: null + id: + description: >- + The identifier for the connector. To create a case + without a connector, use `none`. + type: string + example: none + name: + description: >- + The name of the connector. To create a case without a + connector, use `none`. + type: string + example: none + type: + $ref: '#/components/schemas/connector_types' + required: + - fields + - id + - name + - type + description: + description: The description for the case. + type: string + owner: + $ref: '#/components/schemas/owners' + settings: + description: An object that contains the case settings. + type: object + properties: + syncAlerts: + description: Turns alert syncing on or off. + type: boolean + severity: + $ref: '#/components/schemas/severity_property' + tags: + description: >- + The words and phrases that help categorize cases. It can be + an empty array. + type: array + items: + type: string + title: + description: A title for the case. + type: string + required: + - connector + - description + - owner + - settings + - tags + - title + examples: + createCaseRequest: + $ref: '#/components/examples/create_case_request' + responses: + '200': + description: Indicates a successful call. + content: + application/json; charset=utf-8: + schema: + type: object + properties: + closed_at: + type: string + format: date-time + nullable: true + example: null + closed_by: + type: object + properties: + email: + type: string + full_name: + type: string + username: + type: string + nullable: true + example: null + comments: + type: array + items: + type: string + example: [] + connector: + type: object + properties: + fields: + description: >- + An object containing the connector fields. To create a + case without a connector, specify null. If you want to + omit any individual field, specify null as its value. + nullable: true + type: object + properties: + caseId: + description: The case identifier for Swimlane connectors. + type: string + category: + description: >- + The category of the incident for ServiceNow ITSM + and ServiceNow SecOps connectors. + type: string + destIp: + description: >- + A comma-separated list of destination IPs for + ServiceNow SecOps connectors. + type: string + impact: + description: >- + The effect an incident had on business for + ServiceNow ITSM connectors. + type: string + issueType: + description: The type of issue for Jira connectors. + type: string + issueTypes: + description: The type of incident for IBM Resilient connectors. + type: array + items: + type: number + malwareHash: + description: >- + A comma-separated list of malware hashes for + ServiceNow SecOps connectors. + type: string + malwareUrl: + description: >- + A comma-separated list of malware URLs for + ServiceNow SecOps connectors. + type: string + parent: + description: >- + The key of the parent issue, when the issue type + is sub-task for Jira connectors. + type: string + priority: + description: >- + The priority of the issue for Jira and ServiceNow + SecOps connectors. + type: string + severity: + description: >- + The severity of the incident for ServiceNow ITSM + connectors. + type: string + severityCode: + description: >- + The severity code of the incident for IBM + Resilient connectors. + type: number + sourceIp: + description: >- + A comma-separated list of source IPs for + ServiceNow SecOps connectors. + type: string + subcategory: + description: >- + The subcategory of the incident for ServiceNow + ITSM connectors. + type: string + urgency: + description: >- + The extent to which the incident resolution can be + delayed for ServiceNow ITSM connectors. + type: string + example: null + id: + description: >- + The identifier for the connector. To create a case + without a connector, use `none`. + type: string + example: none + name: + description: >- + The name of the connector. To create a case without a + connector, use `none`. + type: string + example: none + type: + $ref: '#/components/schemas/connector_types' + created_at: + type: string + format: date-time + example: '2022-05-13T09:16:17.416Z' + created_by: + type: object + properties: + email: + type: string + example: null + full_name: + type: string + example: null + username: + type: string + example: elastic + description: + type: string + example: >- + James Bond clicked on a highly suspicious email banner + advertising cheap holidays for underpaid civil servants. + Operation bubblegum is active. Repeat - operation + bubblegum is now active + duration: + type: integer + description: >- + The elapsed time from the creation of the case to its + closure (in seconds). If the case has not been closed, the + duration is set to null. + example: 120 + external_service: + type: object + properties: + connector_id: + type: string + connector_name: + type: string + external_id: + type: string + external_title: + type: string + external_url: + type: string + pushed_at: + type: string + format: date-time + pushed_by: + type: object + properties: + email: + type: string + full_name: + type: string + username: + type: string + nullable: true + example: null + id: + type: string + example: 66b9aa00-94fa-11ea-9f74-e7e108796192 + owner: + $ref: '#/components/schemas/owners' + settings: + type: object + properties: + syncAlerts: + type: boolean + example: true + severity: + $ref: '#/components/schemas/severity_property' + status: + $ref: '#/components/schemas/status' + tags: + type: array + items: + type: string + example: + - phishing + - social engineering + - bubblegum + title: + type: string + example: This case will self-destruct in 5 seconds + totalAlerts: + type: integer + example: 0 + totalComment: + type: integer + example: 0 + updated_at: + type: string + format: date-time + nullable: true + example: null + updated_by: + type: object + properties: + email: + type: string + full_name: + type: string + username: + type: string + nullable: true + example: null + version: + type: string + example: WzUzMiwxXQ== + examples: + createCaseResponse: + $ref: '#/components/examples/create_case_response' + servers: + - url: https://localhost:5601 + delete: + description: > + Deletes one or more cases. You must have all privileges for the + **Cases** feature in the **Management**, **Observability**, or + **Security** section of the Kibana feature privileges, depending on the + owner of the cases you're deleting. + tags: + - cases + - kibana + parameters: + - $ref: '#/components/parameters/kbn_xsrf' + - $ref: '#/components/parameters/space_id' + - name: ids + description: >- + The cases that you want to removed. All non-ASCII characters must be + URL encoded. + in: query + required: true + schema: + type: string + example: d4e7abb0-b462-11ec-9a8d-698504725a43 + responses: + '204': + description: Indicates a successful call. + servers: + - url: https://localhost:5601 + patch: + description: > + Updates one or more cases. You must have all privileges for the + **Cases** feature in the **Management**, **Observability**, or + **Security** section of the Kibana feature privileges, depending on the + owner of the case you're updating. + tags: + - cases + - kibana + parameters: + - $ref: '#/components/parameters/kbn_xsrf' + - $ref: '#/components/parameters/space_id' + requestBody: + content: + application/json: + schema: + type: object + properties: + cases: + type: array + items: + type: object + properties: + connector: + description: An object that contains the connector configuration. + type: object + properties: + fields: + description: >- + An object containing the connector fields. To + create a case without a connector, specify null. + If you want to omit any individual field, specify + null as its value. + nullable: true + type: object + properties: + caseId: + description: The case identifier for Swimlane connectors. + type: string + category: + description: >- + The category of the incident for ServiceNow + ITSM and ServiceNow SecOps connectors. + type: string + destIp: + description: >- + A comma-separated list of destination IPs for + ServiceNow SecOps connectors. + type: string + impact: + description: >- The effect an incident had on business for ServiceNow ITSM connectors. type: string @@ -1366,296 +2612,1547 @@ paths: The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors. type: string - required: - - fields - - id - - name - - type + example: null id: description: >- The identifier for the connector. To create a case without a connector, use `none`. type: string + example: none name: description: >- The name of the connector. To create a case without a connector, use `none`. type: string + example: none type: $ref: '#/components/schemas/connector_types' + required: + - fields + - id + - name + - type description: description: The description for the case. type: string - id: - description: The identifier for the case. + id: + description: The identifier for the case. + type: string + settings: + description: An object that contains the case settings. + type: object + properties: + syncAlerts: + description: Turns alert syncing on or off. + type: boolean + severity: + $ref: '#/components/schemas/severity_property' + status: + $ref: '#/components/schemas/status' + tags: + description: The words and phrases that help categorize cases. + type: array + items: + type: string + title: + description: A title for the case. + type: string + version: + description: The current version of the case. + type: string + required: + - id + - version + examples: + updateCaseRequest: + $ref: '#/components/examples/update_case_request' + responses: + '200': + description: Indicates a successful call. + content: + application/json; charset=utf-8: + schema: + type: object + properties: + closed_at: + type: string + format: date-time + nullable: true + example: null + closed_by: + type: object + properties: + email: + type: string + full_name: + type: string + username: + type: string + nullable: true + example: null + comments: + type: array + items: + type: string + example: [] + connector: + type: object + properties: + fields: + description: >- + An object containing the connector fields. To create a + case without a connector, specify null. If you want to + omit any individual field, specify null as its value. + nullable: true + type: object + properties: + caseId: + description: The case identifier for Swimlane connectors. + type: string + category: + description: >- + The category of the incident for ServiceNow ITSM + and ServiceNow SecOps connectors. + type: string + destIp: + description: >- + A comma-separated list of destination IPs for + ServiceNow SecOps connectors. + type: string + impact: + description: >- + The effect an incident had on business for + ServiceNow ITSM connectors. + type: string + issueType: + description: The type of issue for Jira connectors. + type: string + issueTypes: + description: The type of incident for IBM Resilient connectors. + type: array + items: + type: number + malwareHash: + description: >- + A comma-separated list of malware hashes for + ServiceNow SecOps connectors. + type: string + malwareUrl: + description: >- + A comma-separated list of malware URLs for + ServiceNow SecOps connectors. + type: string + parent: + description: >- + The key of the parent issue, when the issue type + is sub-task for Jira connectors. + type: string + priority: + description: >- + The priority of the issue for Jira and ServiceNow + SecOps connectors. + type: string + severity: + description: >- + The severity of the incident for ServiceNow ITSM + connectors. + type: string + severityCode: + description: >- + The severity code of the incident for IBM + Resilient connectors. + type: number + sourceIp: + description: >- + A comma-separated list of source IPs for + ServiceNow SecOps connectors. + type: string + subcategory: + description: >- + The subcategory of the incident for ServiceNow + ITSM connectors. + type: string + urgency: + description: >- + The extent to which the incident resolution can be + delayed for ServiceNow ITSM connectors. + type: string + example: null + id: + description: >- + The identifier for the connector. To create a case + without a connector, use `none`. + type: string + example: none + name: + description: >- + The name of the connector. To create a case without a + connector, use `none`. + type: string + example: none + type: + $ref: '#/components/schemas/connector_types' + created_at: + type: string + format: date-time + example: '2022-05-13T09:16:17.416Z' + created_by: + type: object + properties: + email: + type: string + example: null + full_name: + type: string + example: null + username: + type: string + example: elastic + description: + type: string + example: >- + James Bond clicked on a highly suspicious email banner + advertising cheap holidays for underpaid civil servants. + Operation bubblegum is active. Repeat - operation + bubblegum is now active + duration: + type: integer + description: >- + The elapsed time from the creation of the case to its + closure (in seconds). If the case has not been closed, the + duration is set to null. + example: 120 + external_service: + type: object + properties: + connector_id: + type: string + connector_name: + type: string + external_id: + type: string + external_title: + type: string + external_url: + type: string + pushed_at: + type: string + format: date-time + pushed_by: + type: object + properties: + email: + type: string + full_name: + type: string + username: + type: string + nullable: true + example: null + id: + type: string + example: 66b9aa00-94fa-11ea-9f74-e7e108796192 + owner: + $ref: '#/components/schemas/owners' + settings: + type: object + properties: + syncAlerts: + type: boolean + example: true + severity: + $ref: '#/components/schemas/severity_property' + status: + $ref: '#/components/schemas/status' + tags: + type: array + items: + type: string + example: + - phishing + - social engineering + - bubblegum + title: + type: string + example: This case will self-destruct in 5 seconds + totalAlerts: + type: integer + example: 0 + totalComment: + type: integer + example: 0 + updated_at: + type: string + format: date-time + nullable: true + example: null + updated_by: + type: object + properties: + email: + type: string + full_name: type: string - settings: - description: An object that contains the case settings. + username: + type: string + nullable: true + example: null + version: + type: string + example: WzUzMiwxXQ== + examples: + updateCaseResponse: + $ref: '#/components/examples/update_case_response' + servers: + - url: https://localhost:5601 + servers: + - url: https://localhost:5601 + /s/{spaceId}/api/cases/_find: + get: + description: > + Retrieves a paginated subset of cases. You must have read privileges for + the **Cases** feature in the **Management**, **Observability**, or + **Security** section of the Kibana feature privileges, depending on the + owner of the cases you're seeking. + tags: + - cases + - kibana + parameters: + - $ref: '#/components/parameters/space_id' + - name: defaultSearchOperator + in: query + description: The default operator to use for the simple_query_string. + schema: + type: string + default: OR + example: OR + - name: fields + in: query + description: The fields in the entity to return in the response. + schema: + type: array + items: + type: string + - name: from + in: query + description: > + [preview] Returns only cases that were created after a specific + date. The date must be specified as a KQL data range or date match + expression. This functionality is in technical preview and may be + changed or removed in a future release. Elastic will apply best + effort to fix any issues, but features in technical preview are not + subject to the support SLA of official GA features. + schema: + type: string + example: now-1d + - $ref: '#/components/parameters/owner' + - name: page + in: query + description: The page number to return. + schema: + type: integer + default: 1 + example: 1 + - name: perPage + in: query + description: The number of rules to return per page. + schema: + type: integer + default: 20 + example: 20 + - name: reporters + in: query + description: Filters the returned cases by the user name of the reporter. + schema: + oneOf: + - type: string + - type: array + items: + type: string + example: elastic + - name: search + in: query + description: >- + An Elasticsearch simple_query_string query that filters the objects + in the response. + schema: + type: string + - name: searchFields + in: query + description: The fields to perform the simple_query_string parsed query against. + schema: + oneOf: + - type: string + - type: array + items: + type: string + - $ref: '#/components/parameters/severity' + - name: sortField + in: query + description: Determines which field is used to sort the results. + schema: + type: string + enum: + - createdAt + - updatedAt + default: createdAt + example: updatedAt + - name: sortOrder + in: query + description: Determines the sort order. + schema: + type: string + enum: + - asc + - desc + default: desc + example: asc + - name: status + in: query + description: Filters the returned cases by state. + schema: + type: string + enum: + - closed + - in-progress + - open + example: open + - name: tags + in: query + description: Filters the returned cases by tags. + schema: + oneOf: + - type: string + - type: array + items: + type: string + example: phishing + - name: to + in: query + description: > + [preview] Returns only cases that were created before a specific + date. The date must be specified as a KQL data range or date match + expression. This functionality is in technical preview and may be + changed or removed in a future release. Elastic will apply best + effort to fix any issues, but features in technical preview are not + subject to the support SLA of official GA features. + schema: + type: string + example: now+1d + responses: + '200': + description: Indicates a successful call. + content: + application/json; charset=utf-8: + schema: + type: object + properties: + cases: + type: array + items: + type: object + properties: + closed_at: + type: string + format: date-time + nullable: true + example: null + closed_by: + type: object + properties: + email: + type: string + full_name: + type: string + username: + type: string + nullable: true + example: null + comments: + type: array + items: + type: string + example: [] + connector: + type: object + properties: + fields: + description: >- + An object containing the connector fields. To + create a case without a connector, specify null. + If you want to omit any individual field, + specify null as its value. + nullable: true + type: object + properties: + caseId: + description: The case identifier for Swimlane connectors. + type: string + category: + description: >- + The category of the incident for ServiceNow + ITSM and ServiceNow SecOps connectors. + type: string + destIp: + description: >- + A comma-separated list of destination IPs + for ServiceNow SecOps connectors. + type: string + impact: + description: >- + The effect an incident had on business for + ServiceNow ITSM connectors. + type: string + issueType: + description: The type of issue for Jira connectors. + type: string + issueTypes: + description: >- + The type of incident for IBM Resilient + connectors. + type: array + items: + type: number + malwareHash: + description: >- + A comma-separated list of malware hashes for + ServiceNow SecOps connectors. + type: string + malwareUrl: + description: >- + A comma-separated list of malware URLs for + ServiceNow SecOps connectors. + type: string + parent: + description: >- + The key of the parent issue, when the issue + type is sub-task for Jira connectors. + type: string + priority: + description: >- + The priority of the issue for Jira and + ServiceNow SecOps connectors. + type: string + severity: + description: >- + The severity of the incident for ServiceNow + ITSM connectors. + type: string + severityCode: + description: >- + The severity code of the incident for IBM + Resilient connectors. + type: number + sourceIp: + description: >- + A comma-separated list of source IPs for + ServiceNow SecOps connectors. + type: string + subcategory: + description: >- + The subcategory of the incident for + ServiceNow ITSM connectors. + type: string + urgency: + description: >- + The extent to which the incident resolution + can be delayed for ServiceNow ITSM + connectors. + type: string + example: null + id: + description: >- + The identifier for the connector. To create a + case without a connector, use `none`. + type: string + example: none + name: + description: >- + The name of the connector. To create a case + without a connector, use `none`. + type: string + example: none + type: + $ref: '#/components/schemas/connector_types' + created_at: + type: string + format: date-time + example: '2022-05-13T09:16:17.416Z' + created_by: + type: object + properties: + email: + type: string + example: null + full_name: + type: string + example: null + username: + type: string + example: elastic + description: + type: string + example: >- + James Bond clicked on a highly suspicious email + banner advertising cheap holidays for underpaid + civil servants. Operation bubblegum is active. + Repeat - operation bubblegum is now active + duration: + type: integer + description: >- + The elapsed time from the creation of the case to + its closure (in seconds). If the case has not been + closed, the duration is set to null. + example: 120 + external_service: + type: object + properties: + connector_id: + type: string + connector_name: + type: string + external_id: + type: string + external_title: + type: string + external_url: + type: string + pushed_at: + type: string + format: date-time + pushed_by: + type: object + properties: + email: + type: string + full_name: + type: string + username: + type: string + nullable: true + example: null + id: + type: string + example: 66b9aa00-94fa-11ea-9f74-e7e108796192 + owner: + $ref: '#/components/schemas/owners' + settings: + type: object + properties: + syncAlerts: + type: boolean + example: true + severity: + $ref: '#/components/schemas/severity_property' + status: + $ref: '#/components/schemas/status' + tags: + type: array + items: + type: string + example: + - phishing + - social engineering + - bubblegum + title: + type: string + example: This case will self-destruct in 5 seconds + totalAlerts: + type: integer + example: 0 + totalComment: + type: integer + example: 0 + updated_at: + type: string + format: date-time + nullable: true + example: null + updated_by: + type: object + properties: + email: + type: string + full_name: + type: string + username: + type: string + nullable: true + example: null + version: + type: string + example: WzUzMiwxXQ== + count_closed_cases: + type: integer + count_in_progress_cases: + type: integer + count_open_cases: + type: integer + page: + type: integer + per_page: + type: integer + total: + type: integer + examples: + findCaseResponse: + $ref: '#/components/examples/find_case_response' + servers: + - url: https://localhost:5601 + servers: + - url: https://localhost:5601 + /s/{spaceId}/api/cases/alerts/{alertId}: + get: + description: > + Returns the cases associated with a specific alert. You must have read + privileges for the **Cases** feature in the **Management**, + **Observability**, or **Security** section of the Kibana feature + privileges, depending on the owner of the cases you're seeking. + x-technical-preview: true + tags: + - cases + - kibana + parameters: + - $ref: '#/components/parameters/alert_id' + - $ref: '#/components/parameters/space_id' + - $ref: '#/components/parameters/owner' + responses: + '200': + description: Indicates a successful call. + content: + application/json; charset=utf-8: + schema: + type: array + items: + type: object + properties: + id: + type: string + description: The case identifier. + title: + type: string + description: The case title. + example: + - id: 06116b80-e1c3-11ec-be9b-9b1838238ee6 + title: security_case + servers: + - url: https://localhost:5601 + servers: + - url: https://localhost:5601 + /s/{spaceId}/api/cases/configure: + get: + description: > + Retrieves external connection details, such as the closure type and + default connector for cases. You must have read privileges for the + **Cases** feature in the **Management**, **Observability**, or + **Security** section of the Kibana feature privileges, depending on the + owner of the case configuration. + tags: + - cases + - kibana + parameters: + - $ref: '#/components/parameters/space_id' + - $ref: '#/components/parameters/owner' + responses: + '200': + description: Indicates a successful call. + content: + application/json; charset=utf-8: + schema: + type: array + items: + type: object + properties: + closure_type: + $ref: '#/components/schemas/closure_types' + connector: + type: object + properties: + fields: + description: >- + An object containing the connector fields. To create + a case without a connector, specify null. If you + want to omit any individual field, specify null as + its value. + nullable: true + type: object + properties: + caseId: + description: The case identifier for Swimlane connectors. + type: string + category: + description: >- + The category of the incident for ServiceNow ITSM + and ServiceNow SecOps connectors. + type: string + destIp: + description: >- + A comma-separated list of destination IPs for + ServiceNow SecOps connectors. + type: string + impact: + description: >- + The effect an incident had on business for + ServiceNow ITSM connectors. + type: string + issueType: + description: The type of issue for Jira connectors. + type: string + issueTypes: + description: >- + The type of incident for IBM Resilient + connectors. + type: array + items: + type: number + malwareHash: + description: >- + A comma-separated list of malware hashes for + ServiceNow SecOps connectors. + type: string + malwareUrl: + description: >- + A comma-separated list of malware URLs for + ServiceNow SecOps connectors. + type: string + parent: + description: >- + The key of the parent issue, when the issue type + is sub-task for Jira connectors. + type: string + priority: + description: >- + The priority of the issue for Jira and + ServiceNow SecOps connectors. + type: string + severity: + description: >- + The severity of the incident for ServiceNow ITSM + connectors. + type: string + severityCode: + description: >- + The severity code of the incident for IBM + Resilient connectors. + type: number + sourceIp: + description: >- + A comma-separated list of source IPs for + ServiceNow SecOps connectors. + type: string + subcategory: + description: >- + The subcategory of the incident for ServiceNow + ITSM connectors. + type: string + urgency: + description: >- + The extent to which the incident resolution can + be delayed for ServiceNow ITSM connectors. + type: string + example: null + id: + description: >- + The identifier for the connector. To create a case + without a connector, use `none`. + type: string + example: none + name: + description: >- + The name of the connector. To create a case without + a connector, use `none`. + type: string + example: none + type: + $ref: '#/components/schemas/connector_types' + created_at: + type: string + format: date-time + example: '2022-06-01T17:07:17.767Z' + created_by: + type: object + properties: + email: + type: string + example: null + full_name: + type: string + example: null + username: + type: string + example: elastic + error: + type: string + example: null + id: + type: string + example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 + mappings: + type: array + items: type: object properties: - syncAlerts: - description: Turns alert syncing on or off. - type: boolean - severity: - $ref: '#/components/schemas/severity' - status: - $ref: '#/components/schemas/status' - tags: - description: The words and phrases that help categorize cases. - type: array - items: + action_type: + type: string + example: overwrite + source: + type: string + example: title + target: + type: string + example: summary + owner: + $ref: '#/components/schemas/owners' + updated_at: + type: string + format: date-time + nullable: true + example: '2022-06-01T19:58:48.169Z' + updated_by: + type: object + properties: + email: + type: string + example: null + full_name: + type: string + example: null + username: + type: string + example: elastic + nullable: true + version: + type: string + example: WzIwNzMsMV0= + servers: + - url: https://localhost:5601 + post: + description: > + Sets external connection details, such as the closure type and default + connector for cases. You must have all privileges for the **Cases** + feature in the **Management**, **Observability**, or **Security** + section of the Kibana feature privileges, depending on the owner of the + case configuration. Connectors are used to interface with external + systems. You must create a connector before you can use it in your + cases. Refer to the add connectors API. If you set a default connector, + it is automatically selected when you create cases in Kibana. If you use + the create case API, however, you must still specify all of the + connector details. + tags: + - cases + - kibana + parameters: + - $ref: '#/components/parameters/kbn_xsrf' + - $ref: '#/components/parameters/space_id' + requestBody: + content: + application/json: + schema: + type: object + properties: + closure_type: + $ref: '#/components/schemas/closure_types' + connector: + description: An object that contains the connector configuration. + type: object + properties: + fields: + description: >- + An object containing the connector fields. To create a + case without a connector, specify null. If you want to + omit any individual field, specify null as its value. + nullable: true + type: object + properties: + caseId: + description: The case identifier for Swimlane connectors. + type: string + category: + description: >- + The category of the incident for ServiceNow ITSM and + ServiceNow SecOps connectors. + type: string + destIp: + description: >- + A comma-separated list of destination IPs for + ServiceNow SecOps connectors. + type: string + impact: + description: >- + The effect an incident had on business for + ServiceNow ITSM connectors. type: string - title: - description: A title for the case. - type: string - version: - description: The current version of the case. - type: string - required: - - id - - version - examples: - updateCaseRequest: - $ref: '#/components/examples/update_case_request' + issueType: + description: The type of issue for Jira connectors. + type: string + issueTypes: + description: The type of incident for IBM Resilient connectors. + type: array + items: + type: number + malwareHash: + description: >- + A comma-separated list of malware hashes for + ServiceNow SecOps connectors. + type: string + malwareUrl: + description: >- + A comma-separated list of malware URLs for + ServiceNow SecOps connectors. + type: string + parent: + description: >- + The key of the parent issue, when the issue type is + sub-task for Jira connectors. + type: string + priority: + description: >- + The priority of the issue for Jira and ServiceNow + SecOps connectors. + type: string + severity: + description: >- + The severity of the incident for ServiceNow ITSM + connectors. + type: string + severityCode: + description: >- + The severity code of the incident for IBM Resilient + connectors. + type: number + sourceIp: + description: >- + A comma-separated list of source IPs for ServiceNow + SecOps connectors. + type: string + subcategory: + description: >- + The subcategory of the incident for ServiceNow ITSM + connectors. + type: string + urgency: + description: >- + The extent to which the incident resolution can be + delayed for ServiceNow ITSM connectors. + type: string + example: null + id: + description: >- + The identifier for the connector. To create a case + without a connector, use `none`. + type: string + example: none + name: + description: >- + The name of the connector. To create a case without a + connector, use `none`. + type: string + example: none + type: + $ref: '#/components/schemas/connector_types' + required: + - fields + - id + - name + - type + owner: + $ref: '#/components/schemas/owners' + settings: + description: An object that contains the case settings. + type: object + properties: + syncAlerts: + description: Turns alert syncing on or off. + type: boolean + example: true + required: + - syncAlerts + required: + - closure_type + - connector + - owner responses: '200': description: Indicates a successful call. content: application/json; charset=utf-8: schema: - type: object - properties: - closed_at: - type: string - format: date-time - nullable: true - example: null - closed_by: - type: object - properties: - email: - type: string - full_name: - type: string - username: - type: string - nullable: true - example: null - comments: - type: array - items: + type: array + items: + type: object + properties: + closure_type: + $ref: '#/components/schemas/closure_types' + connector: + type: object + properties: + fields: + description: >- + An object containing the connector fields. To create + a case without a connector, specify null. If you + want to omit any individual field, specify null as + its value. + nullable: true + type: object + properties: + caseId: + description: The case identifier for Swimlane connectors. + type: string + category: + description: >- + The category of the incident for ServiceNow ITSM + and ServiceNow SecOps connectors. + type: string + destIp: + description: >- + A comma-separated list of destination IPs for + ServiceNow SecOps connectors. + type: string + impact: + description: >- + The effect an incident had on business for + ServiceNow ITSM connectors. + type: string + issueType: + description: The type of issue for Jira connectors. + type: string + issueTypes: + description: >- + The type of incident for IBM Resilient + connectors. + type: array + items: + type: number + malwareHash: + description: >- + A comma-separated list of malware hashes for + ServiceNow SecOps connectors. + type: string + malwareUrl: + description: >- + A comma-separated list of malware URLs for + ServiceNow SecOps connectors. + type: string + parent: + description: >- + The key of the parent issue, when the issue type + is sub-task for Jira connectors. + type: string + priority: + description: >- + The priority of the issue for Jira and + ServiceNow SecOps connectors. + type: string + severity: + description: >- + The severity of the incident for ServiceNow ITSM + connectors. + type: string + severityCode: + description: >- + The severity code of the incident for IBM + Resilient connectors. + type: number + sourceIp: + description: >- + A comma-separated list of source IPs for + ServiceNow SecOps connectors. + type: string + subcategory: + description: >- + The subcategory of the incident for ServiceNow + ITSM connectors. + type: string + urgency: + description: >- + The extent to which the incident resolution can + be delayed for ServiceNow ITSM connectors. + type: string + example: null + id: + description: >- + The identifier for the connector. To create a case + without a connector, use `none`. + type: string + example: none + name: + description: >- + The name of the connector. To create a case without + a connector, use `none`. + type: string + example: none + type: + $ref: '#/components/schemas/connector_types' + created_at: type: string - example: [] - connector: - type: object - properties: - fields: - description: >- - An object containing the connector fields. To create a - case without a connector, specify null. If you want to - omit any individual field, specify null as its value. - nullable: true + format: date-time + example: '2022-06-01T17:07:17.767Z' + created_by: + type: object + properties: + email: + type: string + example: null + full_name: + type: string + example: null + username: + type: string + example: elastic + error: + type: string + example: null + id: + type: string + example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 + mappings: + type: array + items: type: object properties: - caseId: - description: The case identifier for Swimlane connectors. - type: string - category: - description: >- - The category of the incident for ServiceNow ITSM - and ServiceNow SecOps connectors. - type: string - destIp: - description: >- - A comma-separated list of destination IPs for - ServiceNow SecOps connectors. - type: string - impact: - description: >- - The effect an incident had on business for - ServiceNow ITSM connectors. - type: string - issueType: - description: The type of issue for Jira connectors. - type: string - issueTypes: - description: The type of incident for IBM Resilient connectors. - type: array - items: - type: number - malwareHash: - description: >- - A comma-separated list of malware hashes for - ServiceNow SecOps connectors. - type: string - malwareUrl: - description: >- - A comma-separated list of malware URLs for - ServiceNow SecOps connectors. - type: string - parent: - description: >- - The key of the parent issue, when the issue type - is sub-task for Jira connectors. + action_type: type: string - priority: - description: >- - The priority of the issue for Jira and ServiceNow - SecOps connectors. + example: overwrite + source: type: string - severity: - description: >- - The severity of the incident for ServiceNow ITSM - connectors. + example: title + target: type: string - severityCode: - description: >- - The severity code of the incident for IBM - Resilient connectors. + example: summary + owner: + $ref: '#/components/schemas/owners' + updated_at: + type: string + format: date-time + nullable: true + example: '2022-06-01T19:58:48.169Z' + updated_by: + type: object + properties: + email: + type: string + example: null + full_name: + type: string + example: null + username: + type: string + example: elastic + nullable: true + version: + type: string + example: WzIwNzMsMV0= + servers: + - url: https://localhost:5601 + servers: + - url: https://localhost:5601 + /s/{spaceId}/api/cases/configure/{configurationId}: + patch: + description: > + Updates external connection details, such as the closure type and + default connector for cases. You must have all privileges for the + **Cases** feature in the **Management**, **Observability**, or + **Security** section of the Kibana feature privileges, depending on the + owner of the case configuration. Connectors are used to interface with + external systems. You must create a connector before you can it in your + cases. Refer to the add connectors API. + tags: + - cases + - kibana + parameters: + - $ref: '#/components/parameters/kbn_xsrf' + - $ref: '#/components/parameters/configuration_id' + - $ref: '#/components/parameters/space_id' + requestBody: + content: + application/json: + schema: + type: object + properties: + closure_type: + $ref: '#/components/schemas/closure_types' + connector: + description: An object that contains the connector configuration. + type: object + properties: + fields: + description: >- + An object containing the connector fields. To create a + case without a connector, specify null. If you want to + omit any individual field, specify null as its value. + nullable: true + type: object + properties: + caseId: + description: The case identifier for Swimlane connectors. + type: string + category: + description: >- + The category of the incident for ServiceNow ITSM and + ServiceNow SecOps connectors. + type: string + destIp: + description: >- + A comma-separated list of destination IPs for + ServiceNow SecOps connectors. + type: string + impact: + description: >- + The effect an incident had on business for + ServiceNow ITSM connectors. + type: string + issueType: + description: The type of issue for Jira connectors. + type: string + issueTypes: + description: The type of incident for IBM Resilient connectors. + type: array + items: type: number - sourceIp: - description: >- - A comma-separated list of source IPs for - ServiceNow SecOps connectors. - type: string - subcategory: - description: >- - The subcategory of the incident for ServiceNow - ITSM connectors. - type: string - urgency: - description: >- - The extent to which the incident resolution can be - delayed for ServiceNow ITSM connectors. - type: string - required: - - fields - - id - - name - - type - id: - description: >- - The identifier for the connector. To create a case - without a connector, use `none`. - type: string - name: - description: >- - The name of the connector. To create a case without a - connector, use `none`. - type: string - type: - $ref: '#/components/schemas/connector_types' - created_at: - type: string - format: date-time - example: '2022-05-13T09:16:17.416Z' - created_by: - type: object - properties: - email: - type: string - example: ahunley@imf.usa.gov - full_name: - type: string - example: Alan Hunley - username: - type: string - example: ahunley - description: - type: string - example: >- - James Bond clicked on a highly suspicious email banner - advertising cheap holidays for underpaid civil servants. - Operation bubblegum is active. Repeat - operation - bubblegum is now active - duration: - type: integer - description: >- - The elapsed time from the creation of the case to its - closure (in seconds). If the case has not been closed, the - duration is set to null. - example: 120 - external_service: - type: object - properties: - connector_id: - type: string - connector_name: - type: string - external_id: - type: string - external_title: - type: string - external_url: - type: string - pushed_at: - type: string - format: date-time - pushed_by: + malwareHash: + description: >- + A comma-separated list of malware hashes for + ServiceNow SecOps connectors. + type: string + malwareUrl: + description: >- + A comma-separated list of malware URLs for + ServiceNow SecOps connectors. + type: string + parent: + description: >- + The key of the parent issue, when the issue type is + sub-task for Jira connectors. + type: string + priority: + description: >- + The priority of the issue for Jira and ServiceNow + SecOps connectors. + type: string + severity: + description: >- + The severity of the incident for ServiceNow ITSM + connectors. + type: string + severityCode: + description: >- + The severity code of the incident for IBM Resilient + connectors. + type: number + sourceIp: + description: >- + A comma-separated list of source IPs for ServiceNow + SecOps connectors. + type: string + subcategory: + description: >- + The subcategory of the incident for ServiceNow ITSM + connectors. + type: string + urgency: + description: >- + The extent to which the incident resolution can be + delayed for ServiceNow ITSM connectors. + type: string + example: null + id: + description: >- + The identifier for the connector. To create a case + without a connector, use `none`. + type: string + example: none + name: + description: >- + The name of the connector. To create a case without a + connector, use `none`. + type: string + example: none + type: + $ref: '#/components/schemas/connector_types' + required: + - fields + - id + - name + - type + version: + description: > + The version of the connector. To retrieve the version value, + use the get configuration API. + type: string + example: WzIwMiwxXQ== + required: + - version + responses: + '200': + description: Indicates a successful call. + content: + application/json; charset=utf-8: + schema: + type: array + items: + type: object + properties: + closure_type: + $ref: '#/components/schemas/closure_types' + connector: + type: object + properties: + fields: + description: >- + An object containing the connector fields. To create + a case without a connector, specify null. If you + want to omit any individual field, specify null as + its value. + nullable: true + type: object + properties: + caseId: + description: The case identifier for Swimlane connectors. + type: string + category: + description: >- + The category of the incident for ServiceNow ITSM + and ServiceNow SecOps connectors. + type: string + destIp: + description: >- + A comma-separated list of destination IPs for + ServiceNow SecOps connectors. + type: string + impact: + description: >- + The effect an incident had on business for + ServiceNow ITSM connectors. + type: string + issueType: + description: The type of issue for Jira connectors. + type: string + issueTypes: + description: >- + The type of incident for IBM Resilient + connectors. + type: array + items: + type: number + malwareHash: + description: >- + A comma-separated list of malware hashes for + ServiceNow SecOps connectors. + type: string + malwareUrl: + description: >- + A comma-separated list of malware URLs for + ServiceNow SecOps connectors. + type: string + parent: + description: >- + The key of the parent issue, when the issue type + is sub-task for Jira connectors. + type: string + priority: + description: >- + The priority of the issue for Jira and + ServiceNow SecOps connectors. + type: string + severity: + description: >- + The severity of the incident for ServiceNow ITSM + connectors. + type: string + severityCode: + description: >- + The severity code of the incident for IBM + Resilient connectors. + type: number + sourceIp: + description: >- + A comma-separated list of source IPs for + ServiceNow SecOps connectors. + type: string + subcategory: + description: >- + The subcategory of the incident for ServiceNow + ITSM connectors. + type: string + urgency: + description: >- + The extent to which the incident resolution can + be delayed for ServiceNow ITSM connectors. + type: string + example: null + id: + description: >- + The identifier for the connector. To create a case + without a connector, use `none`. + type: string + example: none + name: + description: >- + The name of the connector. To create a case without + a connector, use `none`. + type: string + example: none + type: + $ref: '#/components/schemas/connector_types' + created_at: + type: string + format: date-time + example: '2022-06-01T17:07:17.767Z' + created_by: + type: object + properties: + email: + type: string + example: null + full_name: + type: string + example: null + username: + type: string + example: elastic + error: + type: string + example: null + id: + type: string + example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 + mappings: + type: array + items: type: object properties: - email: + action_type: type: string - full_name: + example: overwrite + source: type: string - username: + example: title + target: type: string - nullable: true - example: null - id: - type: string - example: 66b9aa00-94fa-11ea-9f74-e7e108796192 - owner: - $ref: '#/components/schemas/owners' - settings: - type: object - properties: - syncAlerts: - type: boolean - example: true - severity: - $ref: '#/components/schemas/severity' - status: - $ref: '#/components/schemas/status' - tags: - type: array - items: + example: summary + owner: + $ref: '#/components/schemas/owners' + updated_at: type: string - example: - - phishing - - social engineering - - bubblegum - title: - type: string - example: This case will self-destruct in 5 seconds - totalAlerts: - type: integer - example: 0 - totalComment: - type: integer - example: 0 - updated_at: - type: string - format: date-time - nullable: true - example: null - updated_by: - type: object - properties: - email: - type: string - full_name: - type: string - username: - type: string - nullable: true - example: null - version: - type: string - example: WzUzMiwxXQ== - examples: - updateCaseResponse: - $ref: '#/components/examples/update_case_response' + format: date-time + nullable: true + example: '2022-06-01T19:58:48.169Z' + updated_by: + type: object + properties: + email: + type: string + example: null + full_name: + type: string + example: null + username: + type: string + example: elastic + nullable: true + version: + type: string + example: WzIwNzMsMV0= servers: - url: https://localhost:5601 servers: @@ -1676,6 +4173,47 @@ components: in: header name: kbn-xsrf required: true + owner: + in: query + name: owner + description: > + A filter to limit the response to a specific set of applications. If + this parameter is omitted, the response contains information about all + the cases that the user has access to read. + schema: + oneOf: + - $ref: '#/components/schemas/owners' + - type: array + items: + $ref: '#/components/schemas/owners' + example: cases + severity: + in: query + name: severity + description: The severity of the case. + schema: + type: string + enum: + - critical + - high + - low + - medium + alert_id: + in: path + name: alertId + description: An identifier for the alert. + required: true + schema: + type: string + example: 09f0c261e39e36351d75995b78bb83673774d1bc2cca9df2d15f0e5c0a99a540 + configuration_id: + in: path + name: configurationId + description: An identifier for the configuration. + required: true + schema: + type: string + example: 3297a0f0-b5ec-11ec-b141-0fdb20a7f9a9 space_id: in: path name: spaceId @@ -1695,14 +4233,18 @@ components: - .servicenow - .servicenow-sir - .swimlane + example: .none owners: type: string - description: Owner apps + description: > + The application that owns the cases: Stack Management, Observability, or + Elastic Security. enum: - cases - observability - securitySolution - severity: + example: cases + severity_property: type: string description: The severity of the case. enum: @@ -1718,6 +4260,16 @@ components: - closed - in-progress - open + closure_types: + type: string + description: >- + Indicates whether a case is automatically closed when it is pushed to + external systems (`close-by-pushing`) or not automatically closed + (`close-by-user`). + enum: + - close-by-pushing + - close-by-user + example: close-by-user examples: create_case_request: summary: Create a security case that uses a Jira connector. @@ -1863,6 +4415,51 @@ components: connector_id: 05da469f-1fde-4058-99a3-91e4807e2de8 external_id: '10003' connector_name: Jira + find_case_response: + summary: >- + Retrieve the first five cases with the `phishing` tag, in ascending + order by last update time. + value: + page: 1 + per_page: 5 + total: 1 + cases: + - id: abed3a70-71bd-11ea-a0b2-c51ea50a58e2 + version: WzExMCwxXQ== + comments: [] + totalComment: 1 + totalAlerts: 0 + title: Case title + tags: + - phishing + description: Case description + settings: + syncAlerts: true + owner: securitySolution + duration: null + severity: low + closed_at: null + closed_by: null + created_at: '2022-05-12T00:16:36.371Z' + created_by: + email: jdoe@email.com + full_name: Jane Doe + username: jdoe + status: open + updated_at: '2022-05-12T00:27:58.162Z' + updated_by: + email: jsmith@email.com + full_name: Joe Smith + username: jsmith + connector: + id: none + name: none + type: .none + fields: null + external_service: null + count_open_cases: 1 + count_in_progress_cases: 0 + count_closed_cases: 0 security: - basicAuth: [] - apiKeyAuth: [] diff --git a/x-pack/plugins/cases/docs/openapi/components/examples/find_case_response.yaml b/x-pack/plugins/cases/docs/openapi/components/examples/find_case_response.yaml new file mode 100644 index 0000000000000..2603d25cce6ac --- /dev/null +++ b/x-pack/plugins/cases/docs/openapi/components/examples/find_case_response.yaml @@ -0,0 +1,48 @@ +summary: Retrieve the first five cases with the `phishing` tag, in ascending order by last update time. +value: + { + "page": 1, + "per_page": 5, + "total": 1, + "cases": [ + { + "id": "abed3a70-71bd-11ea-a0b2-c51ea50a58e2", + "version": "WzExMCwxXQ==", + "comments": [], + "totalComment": 1, + "totalAlerts": 0, + "title": "Case title", + "tags": [ "phishing" ], + "description": "Case description", + "settings": { "syncAlerts": true }, + "owner": "securitySolution", + "duration": null, + "severity": "low", + "closed_at": null, + "closed_by": null, + "created_at": "2022-05-12T00:16:36.371Z", + "created_by": { + "email": "jdoe@email.com", + "full_name": "Jane Doe", + "username": "jdoe" + }, + "status": "open", + "updated_at": "2022-05-12T00:27:58.162Z", + "updated_by": { + "email": "jsmith@email.com", + "full_name": "Joe Smith", + "username": "jsmith" + }, + "connector": { + "id": "none", + "name": "none", + "type": ".none", + "fields": null + }, + "external_service": null + } + ], + "count_open_cases": 1, + "count_in_progress_cases":0, + "count_closed_cases": 0 + } diff --git a/x-pack/plugins/cases/docs/openapi/components/parameters/alert_id.yaml b/x-pack/plugins/cases/docs/openapi/components/parameters/alert_id.yaml new file mode 100644 index 0000000000000..8677b327b91be --- /dev/null +++ b/x-pack/plugins/cases/docs/openapi/components/parameters/alert_id.yaml @@ -0,0 +1,7 @@ +in: path +name: alertId +description: An identifier for the alert. +required: true +schema: + type: string + example: 09f0c261e39e36351d75995b78bb83673774d1bc2cca9df2d15f0e5c0a99a540 \ No newline at end of file diff --git a/x-pack/plugins/cases/docs/openapi/components/parameters/configuration_id.yaml b/x-pack/plugins/cases/docs/openapi/components/parameters/configuration_id.yaml new file mode 100644 index 0000000000000..65cce12afaa92 --- /dev/null +++ b/x-pack/plugins/cases/docs/openapi/components/parameters/configuration_id.yaml @@ -0,0 +1,7 @@ +in: path +name: configurationId +description: An identifier for the configuration. +required: true +schema: + type: string + example: 3297a0f0-b5ec-11ec-b141-0fdb20a7f9a9 \ No newline at end of file diff --git a/x-pack/plugins/cases/docs/openapi/components/parameters/owner.yaml b/x-pack/plugins/cases/docs/openapi/components/parameters/owner.yaml new file mode 100644 index 0000000000000..3c5e511742bf2 --- /dev/null +++ b/x-pack/plugins/cases/docs/openapi/components/parameters/owner.yaml @@ -0,0 +1,13 @@ +in: query +name: owner +description: > + A filter to limit the response to a specific set of applications. If this + parameter is omitted, the response contains information about all the cases + that the user has access to read. +schema: + oneOf: + - $ref: '../schemas/owners.yaml' + - type: array + items: + $ref: '../schemas/owners.yaml' +example: cases \ No newline at end of file diff --git a/x-pack/plugins/cases/docs/openapi/components/parameters/severity.yaml b/x-pack/plugins/cases/docs/openapi/components/parameters/severity.yaml new file mode 100644 index 0000000000000..747cb1edd2e2f --- /dev/null +++ b/x-pack/plugins/cases/docs/openapi/components/parameters/severity.yaml @@ -0,0 +1,10 @@ +in: query +name: severity +description: The severity of the case. +schema: + type: string + enum: + - critical + - high + - low + - medium \ No newline at end of file diff --git a/x-pack/plugins/cases/docs/openapi/components/schemas/case_configure_response_properties.yaml b/x-pack/plugins/cases/docs/openapi/components/schemas/case_configure_response_properties.yaml new file mode 100644 index 0000000000000..8041c4e340125 --- /dev/null +++ b/x-pack/plugins/cases/docs/openapi/components/schemas/case_configure_response_properties.yaml @@ -0,0 +1,65 @@ +closure_type: + $ref: 'closure_types.yaml' +connector: + type: object + properties: + $ref: 'connector_properties.yaml' +created_at: + type: string + format: date-time + example: 2022-06-01T17:07:17.767Z +created_by: + type: object + properties: + email: + type: string + example: null + full_name: + type: string + example: null + username: + type: string + example: elastic +error: + type: string + example: null +id: + type: string + example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 +mappings: + type: array + items: + type: object + properties: + action_type: + type: string + example: overwrite + source: + type: string + example: title + target: + type: string + example: summary +owner: + $ref: 'owners.yaml' +updated_at: + type: string + format: date-time + nullable: true + example: 2022-06-01T19:58:48.169Z +updated_by: + type: object + properties: + email: + type: string + example: null + full_name: + type: string + example: null + username: + type: string + example: elastic + nullable: true +version: + type: string + example: WzIwNzMsMV0= \ No newline at end of file diff --git a/x-pack/plugins/cases/docs/openapi/components/schemas/case_response_properties.yaml b/x-pack/plugins/cases/docs/openapi/components/schemas/case_response_properties.yaml index 53f1fd3910224..f3d46c08a517e 100644 --- a/x-pack/plugins/cases/docs/openapi/components/schemas/case_response_properties.yaml +++ b/x-pack/plugins/cases/docs/openapi/components/schemas/case_response_properties.yaml @@ -26,19 +26,19 @@ connector: created_at: type: string format: date-time - example: "2022-05-13T09:16:17.416Z" + example: 2022-05-13T09:16:17.416Z created_by: type: object properties: email: type: string - example: "ahunley@imf.usa.gov" + example: null full_name: type: string - example: "Alan Hunley" + example: null username: type: string - example: "ahunley" + example: elastic description: type: string example: "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active. Repeat - operation bubblegum is now active" @@ -75,7 +75,7 @@ external_service: example: null id: type: string - example: "66b9aa00-94fa-11ea-9f74-e7e108796192" + example: 66b9aa00-94fa-11ea-9f74-e7e108796192 owner: $ref: 'owners.yaml' settings: @@ -85,7 +85,7 @@ settings: type: boolean example: true severity: - $ref: 'severity.yaml' + $ref: 'severity_property.yaml' status: $ref: 'status.yaml' tags: @@ -95,7 +95,7 @@ tags: example: ["phishing","social engineering","bubblegum"] title: type: string - example: "This case will self-destruct in 5 seconds" + example: This case will self-destruct in 5 seconds totalAlerts: type: integer example: 0 @@ -120,4 +120,4 @@ updated_by: example: null version: type: string - example: "WzUzMiwxXQ==" + example: WzUzMiwxXQ== diff --git a/x-pack/plugins/cases/docs/openapi/components/schemas/closure_types.yaml b/x-pack/plugins/cases/docs/openapi/components/schemas/closure_types.yaml index f09063d0db18f..6879f820d6f5c 100644 --- a/x-pack/plugins/cases/docs/openapi/components/schemas/closure_types.yaml +++ b/x-pack/plugins/cases/docs/openapi/components/schemas/closure_types.yaml @@ -2,4 +2,5 @@ type: string description: Indicates whether a case is automatically closed when it is pushed to external systems (`close-by-pushing`) or not automatically closed (`close-by-user`). enum: - close-by-pushing - - close-by-user \ No newline at end of file + - close-by-user +example: close-by-user \ No newline at end of file diff --git a/x-pack/plugins/cases/docs/openapi/components/schemas/connector_properties.yaml b/x-pack/plugins/cases/docs/openapi/components/schemas/connector_properties.yaml index c2bc2ab7c887a..fbaa7ee66b568 100644 --- a/x-pack/plugins/cases/docs/openapi/components/schemas/connector_properties.yaml +++ b/x-pack/plugins/cases/docs/openapi/components/schemas/connector_properties.yaml @@ -50,16 +50,14 @@ fields: urgency: description: The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors. type: string - required: - - fields - - id - - name - - type + example: null id: description: The identifier for the connector. To create a case without a connector, use `none`. type: string + example: none name: description: The name of the connector. To create a case without a connector, use `none`. type: string + example: none type: $ref: 'connector_types.yaml' \ No newline at end of file diff --git a/x-pack/plugins/cases/docs/openapi/components/schemas/connector_types.yaml b/x-pack/plugins/cases/docs/openapi/components/schemas/connector_types.yaml index 24c1ec5880828..2c31b93e2c2db 100644 --- a/x-pack/plugins/cases/docs/openapi/components/schemas/connector_types.yaml +++ b/x-pack/plugins/cases/docs/openapi/components/schemas/connector_types.yaml @@ -6,4 +6,5 @@ enum: - .resilient - .servicenow - .servicenow-sir - - .swimlane \ No newline at end of file + - .swimlane +example: .none \ No newline at end of file diff --git a/x-pack/plugins/cases/docs/openapi/components/schemas/owners.yaml b/x-pack/plugins/cases/docs/openapi/components/schemas/owners.yaml index f39324a36e702..9036fd5a3833a 100644 --- a/x-pack/plugins/cases/docs/openapi/components/schemas/owners.yaml +++ b/x-pack/plugins/cases/docs/openapi/components/schemas/owners.yaml @@ -1,6 +1,9 @@ type: string -description: Owner apps +description: > + The application that owns the cases: Stack Management, Observability, or + Elastic Security. enum: - cases - observability - - securitySolution \ No newline at end of file + - securitySolution +example: cases \ No newline at end of file diff --git a/x-pack/plugins/cases/docs/openapi/components/schemas/severity.yaml b/x-pack/plugins/cases/docs/openapi/components/schemas/severity_property.yaml similarity index 100% rename from x-pack/plugins/cases/docs/openapi/components/schemas/severity.yaml rename to x-pack/plugins/cases/docs/openapi/components/schemas/severity_property.yaml diff --git a/x-pack/plugins/cases/docs/openapi/entrypoint.yaml b/x-pack/plugins/cases/docs/openapi/entrypoint.yaml index 14155c156b0cc..c43e207641d96 100644 --- a/x-pack/plugins/cases/docs/openapi/entrypoint.yaml +++ b/x-pack/plugins/cases/docs/openapi/entrypoint.yaml @@ -19,14 +19,14 @@ servers: paths: /api/cases: $ref: paths/api@cases.yaml -# /api/cases/_find: -# $ref: paths/api@cases@_find.yaml -# '/api/cases/alerts/{alertId}': -# $ref: 'paths/api@cases@alerts@{alertid}.yaml' -# '/api/cases/configure': -# $ref: paths/api@cases@configure.yaml -# '/api/cases/configure/{configurationId}': -# $ref: paths/api@cases@configure@{configurationid}.yaml + /api/cases/_find: + $ref: paths/api@cases@_find.yaml + '/api/cases/alerts/{alertId}': + $ref: 'paths/api@cases@alerts@{alertid}.yaml' + '/api/cases/configure': + $ref: paths/api@cases@configure.yaml + '/api/cases/configure/{configurationId}': + $ref: paths/api@cases@configure@{configurationid}.yaml # '/api/cases/configure/connectors/_find': # $ref: paths/api@cases@configure@connectors@_find.yaml # '/api/cases/reporters': @@ -50,14 +50,14 @@ paths: '/s/{spaceId}/api/cases': $ref: 'paths/s@{spaceid}@api@cases.yaml' - # '/s/{spaceId}/api/cases/_find': - # $ref: 'paths/s@{spaceid}@api@cases@_find.yaml' - # '/s/{spaceId}/api/cases/alerts/{alertId}': - # $ref: 'paths/s@{spaceid}@api@cases@alerts@{alertid}.yaml' - # '/s/{spaceId}/api/cases/configure': - # $ref: paths/s@{spaceid}@api@cases@configure.yaml - # '/s/{spaceId}/api/cases/configure/{configurationId}': - # $ref: paths/s@{spaceid}@api@cases@configure@{configurationid}.yaml + '/s/{spaceId}/api/cases/_find': + $ref: 'paths/s@{spaceid}@api@cases@_find.yaml' + '/s/{spaceId}/api/cases/alerts/{alertId}': + $ref: 'paths/s@{spaceid}@api@cases@alerts@{alertid}.yaml' + '/s/{spaceId}/api/cases/configure': + $ref: paths/s@{spaceid}@api@cases@configure.yaml + '/s/{spaceId}/api/cases/configure/{configurationId}': + $ref: paths/s@{spaceid}@api@cases@configure@{configurationid}.yaml # '/s/{spaceId}/api/cases/configure/connectors/_find': # $ref: paths/s@{spaceid}@api@cases@configure@connectors@_find.yaml # '/s/{spaceId}/api/cases/reporters': diff --git a/x-pack/plugins/cases/docs/openapi/paths/api@cases.yaml b/x-pack/plugins/cases/docs/openapi/paths/api@cases.yaml index 62816ae2767cc..6b8910c215ce2 100644 --- a/x-pack/plugins/cases/docs/openapi/paths/api@cases.yaml +++ b/x-pack/plugins/cases/docs/openapi/paths/api@cases.yaml @@ -18,6 +18,11 @@ post: type: object properties: $ref: '../components/schemas/connector_properties.yaml' + required: + - fields + - id + - name + - type description: description: The description for the case. type: string @@ -31,7 +36,7 @@ post: description: Turns alert syncing on or off. type: boolean severity: - $ref: '../components/schemas/severity.yaml' + $ref: '../components/schemas/severity_property.yaml' tags: description: The words and phrases that help categorize cases. It can be an empty array. type: array @@ -112,6 +117,11 @@ patch: type: object properties: $ref: '../components/schemas/connector_properties.yaml' + required: + - fields + - id + - name + - type description: description: The description for the case. type: string @@ -126,7 +136,7 @@ patch: description: Turns alert syncing on or off. type: boolean severity: - $ref: '../components/schemas/severity.yaml' + $ref: '../components/schemas/severity_property.yaml' status: $ref: '../components/schemas/status.yaml' tags: diff --git a/x-pack/plugins/cases/docs/openapi/paths/api@cases@_find.yaml b/x-pack/plugins/cases/docs/openapi/paths/api@cases@_find.yaml new file mode 100644 index 0000000000000..3a20d0dcbdc49 --- /dev/null +++ b/x-pack/plugins/cases/docs/openapi/paths/api@cases@_find.yaml @@ -0,0 +1,155 @@ +get: + description: > + Retrieves a paginated subset of cases. + You must have read privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. + tags: + - cases + - kibana + parameters: + - name: defaultSearchOperator + in: query + description: The default operator to use for the simple_query_string. + schema: + type: string + default: OR + example: OR + - name: fields + in: query + description: The fields in the entity to return in the response. + schema: + type: array + items: + type: string + - name: from + in: query + description: > + [preview] Returns only cases that were created after a specific date. + The date must be specified as a KQL data range or date match expression. + This functionality is in technical preview and may be changed or removed + in a future release. Elastic will apply best effort to fix any issues, + but features in technical preview are not subject to the support SLA of + official GA features. + schema: + type: string + example: now-1d + x-technical-preview: true + - $ref: '../components/parameters/owner.yaml' + - name: page + in: query + description: The page number to return. + schema: + type: integer + default: 1 + example: 1 + - name: perPage + in: query + description: The number of rules to return per page. + schema: + type: integer + default: 20 + example: 20 + - name: reporters + in: query + description: Filters the returned cases by the user name of the reporter. + schema: + oneOf: + - type: string + - type: array + items: + type: string + example: elastic + - name: search + in: query + description: An Elasticsearch simple_query_string query that filters the objects in the response. + schema: + type: string + - name: searchFields + in: query + description: The fields to perform the simple_query_string parsed query against. + schema: + oneOf: + - type: string + - type: array + items: + type: string + - $ref: '../components/parameters/severity.yaml' + - name: sortField + in: query + description: Determines which field is used to sort the results. + schema: + type: string + enum: + - createdAt + - updatedAt + default: createdAt + example: updatedAt + - name: sortOrder + in: query + description: Determines the sort order. + schema: + type: string + enum: + - asc + - desc + default: desc + example: asc + - in: query + name: status + description: Filters the returned cases by state. + schema: + type: string + enum: + - closed + - in-progress + - open + example: open + - name: tags + in: query + description: Filters the returned cases by tags. + schema: + oneOf: + - type: string + - type: array + items: + type: string + example: phishing + - name: to + in: query + description: Returns only cases that were created before a specific date. The date must be specified as a KQL data range or date match expression. + schema: + type: string + example: now%2B1d + x-technical-preview: true + responses: + '200': + description: Indicates a successful call. + content: + application/json; charset=utf-8: + schema: + type: object + properties: + cases: + type: array + items: + type: object + properties: + $ref: '../components/schemas/case_response_properties.yaml' + count_closed_cases: + type: integer + count_in_progress_cases: + type: integer + count_open_cases: + type: integer + page: + type: integer + per_page: + type: integer + total: + type: integer + examples: + findCaseResponse: + $ref: '../components/examples/find_case_response.yaml' + servers: + - url: https://localhost:5601 +servers: + - url: https://localhost:5601 diff --git a/x-pack/plugins/cases/docs/openapi/paths/api@cases@alerts@{alertid}.yaml b/x-pack/plugins/cases/docs/openapi/paths/api@cases@alerts@{alertid}.yaml new file mode 100644 index 0000000000000..d79a3c7264b0e --- /dev/null +++ b/x-pack/plugins/cases/docs/openapi/paths/api@cases@alerts@{alertid}.yaml @@ -0,0 +1,36 @@ +get: + description: > + Returns the cases associated with a specific alert. + You must have read privileges for the **Cases** feature in the **Management**, + **Observability**, or **Security** section of the Kibana feature privileges, + depending on the owner of the cases you're seeking. + x-technical-preview: true + tags: + - cases + - kibana + parameters: + - $ref: ../components/parameters/alert_id.yaml + - $ref: '../components/parameters/owner.yaml' + responses: + '200': + description: Indicates a successful call. + content: + application/json; charset=utf-8: + schema: + type: array + items: + type: object + properties: + id: + type: string + description: The case identifier. + title: + type: string + description: The case title. + example: + - id: 06116b80-e1c3-11ec-be9b-9b1838238ee6 + title: security_case + servers: + - url: https://localhost:5601 +servers: + - url: https://localhost:5601 \ No newline at end of file diff --git a/x-pack/plugins/cases/docs/openapi/paths/api@cases@configure.yaml b/x-pack/plugins/cases/docs/openapi/paths/api@cases@configure.yaml new file mode 100644 index 0000000000000..6a685e903c89d --- /dev/null +++ b/x-pack/plugins/cases/docs/openapi/paths/api@cases@configure.yaml @@ -0,0 +1,91 @@ +get: + description: > + Retrieves external connection details, such as the closure type and default + connector for cases. You must have read privileges for the **Cases** feature + in the **Management**, **Observability**, or **Security** section of the + Kibana feature privileges, depending on the owner of the case configuration. + tags: + - cases + - kibana + parameters: + - $ref: '../components/parameters/owner.yaml' + responses: + '200': + description: Indicates a successful call. + content: + application/json; charset=utf-8: + schema: + type: array + items: + type: object + properties: + $ref: '../components/schemas/case_configure_response_properties.yaml' + servers: + - url: https://localhost:5601 + +post: + description: > + Sets external connection details, such as the closure type and default + connector for cases. You must have all privileges for the **Cases** feature + in the **Management**, **Observability**, or **Security** section of the + Kibana feature privileges, depending on the owner of the case configuration. + Connectors are used to interface with external systems. You must create a + connector before you can use it in your cases. Refer to the add connectors + API. If you set a default connector, it is automatically selected when you + create cases in Kibana. If you use the create case API, however, you must + still specify all of the connector details. + tags: + - cases + - kibana + parameters: + - $ref: ../components/headers/kbn_xsrf.yaml + requestBody: + content: + application/json: + schema: + type: object + properties: + closure_type: + $ref: '../components/schemas/closure_types.yaml' + connector: + description: An object that contains the connector configuration. + type: object + properties: + $ref: '../components/schemas/connector_properties.yaml' + required: + - fields + - id + - name + - type + owner: + $ref: '../components/schemas/owners.yaml' + settings: + description: An object that contains the case settings. + type: object + properties: + syncAlerts: + description: Turns alert syncing on or off. + type: boolean + example: true + required: + - syncAlerts + required: + - closure_type + - connector + - owner + responses: + '200': + description: Indicates a successful call. + content: + application/json; charset=utf-8: + schema: + type: array + items: + type: object + properties: + $ref: '../components/schemas/case_configure_response_properties.yaml' + servers: + - url: https://localhost:5601 + +servers: + - url: https://localhost:5601 \ No newline at end of file diff --git a/x-pack/plugins/cases/docs/openapi/paths/api@cases@configure@{configurationid}.yaml b/x-pack/plugins/cases/docs/openapi/paths/api@cases@configure@{configurationid}.yaml new file mode 100644 index 0000000000000..21d6d7f095d45 --- /dev/null +++ b/x-pack/plugins/cases/docs/openapi/paths/api@cases@configure@{configurationid}.yaml @@ -0,0 +1,55 @@ +patch: + description: > + Updates external connection details, such as the closure type and default + connector for cases. You must have all privileges for the **Cases** feature + in the **Management**, **Observability**, or **Security** section of the + Kibana feature privileges, depending on the owner of the case configuration. + Connectors are used to interface with external systems. You must create a + connector before you can it in your cases. Refer to the add connectors API. + tags: + - cases + - kibana + parameters: + - $ref: ../components/headers/kbn_xsrf.yaml + - $ref: ../components/parameters/configuration_id.yaml + requestBody: + content: + application/json: + schema: + type: object + properties: + closure_type: + $ref: '../components/schemas/closure_types.yaml' + connector: + description: An object that contains the connector configuration. + type: object + properties: + $ref: '../components/schemas/connector_properties.yaml' + required: + - fields + - id + - name + - type + version: + description: > + The version of the connector. To retrieve the version value, use + the get configuration API. + type: string + example: "WzIwMiwxXQ==" + required: + - version + responses: + '200': + description: Indicates a successful call. + content: + application/json; charset=utf-8: + schema: + type: array + items: + type: object + properties: + $ref: '../components/schemas/case_configure_response_properties.yaml' + servers: + - url: https://localhost:5601 +servers: + - url: https://localhost:5601 \ No newline at end of file diff --git a/x-pack/plugins/cases/docs/openapi/paths/s@{spaceid}@api@cases.yaml b/x-pack/plugins/cases/docs/openapi/paths/s@{spaceid}@api@cases.yaml index b2c2a8e4e11f1..6b1ad03484ebf 100644 --- a/x-pack/plugins/cases/docs/openapi/paths/s@{spaceid}@api@cases.yaml +++ b/x-pack/plugins/cases/docs/openapi/paths/s@{spaceid}@api@cases.yaml @@ -19,6 +19,11 @@ post: type: object properties: $ref: '../components/schemas/connector_properties.yaml' + required: + - fields + - id + - name + - type description: description: The description for the case. type: string @@ -32,7 +37,7 @@ post: description: Turns alert syncing on or off. type: boolean severity: - $ref: '../components/schemas/severity.yaml' + $ref: '../components/schemas/severity_property.yaml' tags: description: The words and phrases that help categorize cases. It can be an empty array. type: array @@ -115,6 +120,11 @@ patch: type: object properties: $ref: '../components/schemas/connector_properties.yaml' + required: + - fields + - id + - name + - type description: description: The description for the case. type: string @@ -129,7 +139,7 @@ patch: description: Turns alert syncing on or off. type: boolean severity: - $ref: '../components/schemas/severity.yaml' + $ref: '../components/schemas/severity_property.yaml' status: $ref: '../components/schemas/status.yaml' tags: diff --git a/x-pack/plugins/cases/docs/openapi/paths/s@{spaceid}@api@cases@_find.yaml b/x-pack/plugins/cases/docs/openapi/paths/s@{spaceid}@api@cases@_find.yaml new file mode 100644 index 0000000000000..58c41c6827c51 --- /dev/null +++ b/x-pack/plugins/cases/docs/openapi/paths/s@{spaceid}@api@cases@_find.yaml @@ -0,0 +1,160 @@ +get: + description: > + Retrieves a paginated subset of cases. + You must have read privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. + tags: + - cases + - kibana + parameters: + - $ref: '../components/parameters/space_id.yaml' + - name: defaultSearchOperator + in: query + description: The default operator to use for the simple_query_string. + schema: + type: string + default: OR + example: OR + - name: fields + in: query + description: The fields in the entity to return in the response. + schema: + type: array + items: + type: string + - name: from + in: query + description: > + [preview] Returns only cases that were created after a specific date. + The date must be specified as a KQL data range or date match expression. + This functionality is in technical preview and may be changed or removed + in a future release. Elastic will apply best effort to fix any issues, + but features in technical preview are not subject to the support SLA of + official GA features. + schema: + type: string + example: now-1d + - $ref: '../components/parameters/owner.yaml' + - name: page + in: query + description: The page number to return. + schema: + type: integer + default: 1 + example: 1 + - name: perPage + in: query + description: The number of rules to return per page. + schema: + type: integer + default: 20 + example: 20 + - name: reporters + in: query + description: Filters the returned cases by the user name of the reporter. + schema: + oneOf: + - type: string + - type: array + items: + type: string + example: elastic + - name: search + in: query + description: An Elasticsearch simple_query_string query that filters the objects in the response. + schema: + type: string + - name: searchFields + in: query + description: The fields to perform the simple_query_string parsed query against. + schema: + oneOf: + - type: string + - type: array + items: + type: string + - $ref: '../components/parameters/severity.yaml' + - name: sortField + in: query + description: Determines which field is used to sort the results. + schema: + type: string + enum: + - createdAt + - updatedAt + default: createdAt + example: updatedAt + - name: sortOrder + in: query + description: Determines the sort order. + schema: + type: string + enum: + - asc + - desc + default: desc + example: asc + - name: status + in: query + description: Filters the returned cases by state. + schema: + type: string + enum: + - closed + - in-progress + - open + example: open + - name: tags + in: query + description: Filters the returned cases by tags. + schema: + oneOf: + - type: string + - type: array + items: + type: string + example: phishing + - name: to + in: query + description: > + [preview] Returns only cases that were created before a specific date. + The date must be specified as a KQL data range or date match expression. + This functionality is in technical preview and may be changed or removed + in a future release. Elastic will apply best effort to fix any issues, + but features in technical preview are not subject to the support SLA of + official GA features. + schema: + type: string + example: now+1d + responses: + '200': + description: Indicates a successful call. + content: + application/json; charset=utf-8: + schema: + type: object + properties: + cases: + type: array + items: + type: object + properties: + $ref: '../components/schemas/case_response_properties.yaml' + count_closed_cases: + type: integer + count_in_progress_cases: + type: integer + count_open_cases: + type: integer + page: + type: integer + per_page: + type: integer + total: + type: integer + examples: + findCaseResponse: + $ref: '../components/examples/find_case_response.yaml' + servers: + - url: https://localhost:5601 +servers: + - url: https://localhost:5601 \ No newline at end of file diff --git a/x-pack/plugins/cases/docs/openapi/paths/s@{spaceid}@api@cases@alerts@{alertid}.yaml b/x-pack/plugins/cases/docs/openapi/paths/s@{spaceid}@api@cases@alerts@{alertid}.yaml new file mode 100644 index 0000000000000..e0d1bd3201ff9 --- /dev/null +++ b/x-pack/plugins/cases/docs/openapi/paths/s@{spaceid}@api@cases@alerts@{alertid}.yaml @@ -0,0 +1,37 @@ +get: + description: > + Returns the cases associated with a specific alert. You must have read + privileges for the **Cases** feature in the **Management**, + **Observability**, or **Security** section of the Kibana feature privileges, + depending on the owner of the cases you're seeking. + x-technical-preview: true + tags: + - cases + - kibana + parameters: + - $ref: ../components/parameters/alert_id.yaml + - $ref: '../components/parameters/space_id.yaml' + - $ref: '../components/parameters/owner.yaml' + responses: + '200': + description: Indicates a successful call. + content: + application/json; charset=utf-8: + schema: + type: array + items: + type: object + properties: + id: + type: string + description: The case identifier. + title: + type: string + description: The case title. + example: + - id: 06116b80-e1c3-11ec-be9b-9b1838238ee6 + title: security_case + servers: + - url: https://localhost:5601 +servers: + - url: https://localhost:5601 \ No newline at end of file diff --git a/x-pack/plugins/cases/docs/openapi/paths/s@{spaceid}@api@cases@configure.yaml b/x-pack/plugins/cases/docs/openapi/paths/s@{spaceid}@api@cases@configure.yaml new file mode 100644 index 0000000000000..886ed02d84b9c --- /dev/null +++ b/x-pack/plugins/cases/docs/openapi/paths/s@{spaceid}@api@cases@configure.yaml @@ -0,0 +1,93 @@ +get: + description: > + Retrieves external connection details, such as the closure type and default + connector for cases. You must have read privileges for the **Cases** feature + in the **Management**, **Observability**, or **Security** section of the + Kibana feature privileges, depending on the owner of the case configuration. + tags: + - cases + - kibana + parameters: + - $ref: '../components/parameters/space_id.yaml' + - $ref: '../components/parameters/owner.yaml' + responses: + '200': + description: Indicates a successful call. + content: + application/json; charset=utf-8: + schema: + type: array + items: + type: object + properties: + $ref: '../components/schemas/case_configure_response_properties.yaml' + servers: + - url: https://localhost:5601 + +post: + description: > + Sets external connection details, such as the closure type and default + connector for cases. You must have all privileges for the **Cases** feature + in the **Management**, **Observability**, or **Security** section of the + Kibana feature privileges, depending on the owner of the case configuration. + Connectors are used to interface with external systems. You must create a + connector before you can use it in your cases. Refer to the add connectors + API. If you set a default connector, it is automatically selected when you + create cases in Kibana. If you use the create case API, however, you must + still specify all of the connector details. + tags: + - cases + - kibana + parameters: + - $ref: ../components/headers/kbn_xsrf.yaml + - $ref: '../components/parameters/space_id.yaml' + requestBody: + content: + application/json: + schema: + type: object + properties: + closure_type: + $ref: '../components/schemas/closure_types.yaml' + connector: + description: An object that contains the connector configuration. + type: object + properties: + $ref: '../components/schemas/connector_properties.yaml' + required: + - fields + - id + - name + - type + owner: + $ref: '../components/schemas/owners.yaml' + settings: + description: An object that contains the case settings. + type: object + properties: + syncAlerts: + description: Turns alert syncing on or off. + type: boolean + example: true + required: + - syncAlerts + required: + - closure_type + - connector + - owner + responses: + '200': + description: Indicates a successful call. + content: + application/json; charset=utf-8: + schema: + type: array + items: + type: object + properties: + $ref: '../components/schemas/case_configure_response_properties.yaml' + servers: + - url: https://localhost:5601 + +servers: + - url: https://localhost:5601 \ No newline at end of file diff --git a/x-pack/plugins/cases/docs/openapi/paths/s@{spaceid}@api@cases@configure@{configurationid}.yaml b/x-pack/plugins/cases/docs/openapi/paths/s@{spaceid}@api@cases@configure@{configurationid}.yaml new file mode 100644 index 0000000000000..2df211af8ea91 --- /dev/null +++ b/x-pack/plugins/cases/docs/openapi/paths/s@{spaceid}@api@cases@configure@{configurationid}.yaml @@ -0,0 +1,56 @@ +patch: + description: > + Updates external connection details, such as the closure type and default + connector for cases. You must have all privileges for the **Cases** feature + in the **Management**, **Observability**, or **Security** section of the + Kibana feature privileges, depending on the owner of the case configuration. + Connectors are used to interface with external systems. You must create a + connector before you can it in your cases. Refer to the add connectors API. + tags: + - cases + - kibana + parameters: + - $ref: ../components/headers/kbn_xsrf.yaml + - $ref: ../components/parameters/configuration_id.yaml + - $ref: '../components/parameters/space_id.yaml' + requestBody: + content: + application/json: + schema: + type: object + properties: + closure_type: + $ref: '../components/schemas/closure_types.yaml' + connector: + description: An object that contains the connector configuration. + type: object + properties: + $ref: '../components/schemas/connector_properties.yaml' + required: + - fields + - id + - name + - type + version: + description: > + The version of the connector. To retrieve the version value, use + the get configuration API. + type: string + example: "WzIwMiwxXQ==" + required: + - version + responses: + '200': + description: Indicates a successful call. + content: + application/json; charset=utf-8: + schema: + type: array + items: + type: object + properties: + $ref: '../components/schemas/case_configure_response_properties.yaml' + servers: + - url: https://localhost:5601 +servers: + - url: https://localhost:5601 \ No newline at end of file diff --git a/x-pack/plugins/cases/public/common/mock/test_providers.tsx b/x-pack/plugins/cases/public/common/mock/test_providers.tsx index 523593e68c2f0..bd8e5f325175a 100644 --- a/x-pack/plugins/cases/public/common/mock/test_providers.tsx +++ b/x-pack/plugins/cases/public/common/mock/test_providers.tsx @@ -72,6 +72,7 @@ export interface AppMockRenderer { render: UiRender; coreStart: StartServices; queryClient: QueryClient; + AppWrapper: React.FC<{ children: React.ReactElement }>; } export const testQueryClient = new QueryClient({ defaultOptions: { @@ -120,6 +121,7 @@ export const createAppMockRenderer = ({ coreStart: services, queryClient, render, + AppWrapper, }; }; diff --git a/x-pack/plugins/cases/public/components/all_cases/all_cases_list.test.tsx b/x-pack/plugins/cases/public/components/all_cases/all_cases_list.test.tsx index 32ae5ed839b96..35c49c4a7007f 100644 --- a/x-pack/plugins/cases/public/components/all_cases/all_cases_list.test.tsx +++ b/x-pack/plugins/cases/public/components/all_cases/all_cases_list.test.tsx @@ -24,8 +24,6 @@ import { useDeleteCases } from '../../containers/use_delete_cases'; import { useGetCases } from '../../containers/use_get_cases'; import { useGetCasesStatus } from '../../containers/use_get_cases_status'; import { useUpdateCases } from '../../containers/use_bulk_update_case'; -import { useGetActionLicense } from '../../containers/use_get_action_license'; -import { useConnectors } from '../../containers/configure/use_connectors'; import { useKibana } from '../../common/lib/kibana'; import { AllCasesList } from './all_cases_list'; import { CasesColumns, GetCasesColumn, useCasesColumns } from './columns'; @@ -37,6 +35,8 @@ import { useCreateAttachments } from '../../containers/use_create_attachments'; import { useGetTags } from '../../containers/use_get_tags'; import { useGetReporters } from '../../containers/use_get_reporters'; import { useGetCasesMetrics } from '../../containers/use_get_cases_metrics'; +import { useGetActionLicense } from '../../containers/use_get_action_license'; +import { useGetConnectors } from '../../containers/configure/use_connectors'; jest.mock('../../containers/use_create_attachments'); jest.mock('../../containers/use_bulk_update_case'); @@ -63,7 +63,7 @@ const useGetActionLicenseMock = useGetActionLicense as jest.Mock; const useGetTagsMock = useGetTags as jest.Mock; const useGetReportersMock = useGetReporters as jest.Mock; const useKibanaMock = useKibana as jest.MockedFunction; -const useConnectorsMock = useConnectors as jest.Mock; +const useGetConnectorsMock = useGetConnectors as jest.Mock; const useCreateAttachmentsMock = useCreateAttachments as jest.Mock; const mockTriggersActionsUiService = triggersActionsUiMock.createStart(); @@ -136,7 +136,7 @@ describe('AllCasesListGeneric', () => { }; const defaultActionLicense = { - actionLicense: null, + data: null, isLoading: false, isError: false, }; @@ -176,8 +176,7 @@ describe('AllCasesListGeneric', () => { isError: false, fetchReporters: jest.fn(), }); - useConnectorsMock.mockImplementation(() => ({ connectors: connectorsMock, loading: false })); - useConnectorsMock.mockImplementation(() => ({ connectors: connectorsMock, loading: false })); + useGetConnectorsMock.mockImplementation(() => ({ data: connectorsMock, isLoading: false })); mockKibana(); moment.tz.setDefault('UTC'); }); diff --git a/x-pack/plugins/cases/public/components/all_cases/all_cases_list.tsx b/x-pack/plugins/cases/public/components/all_cases/all_cases_list.tsx index 72424785f4069..4417b10754f5f 100644 --- a/x-pack/plugins/cases/public/components/all_cases/all_cases_list.tsx +++ b/x-pack/plugins/cases/public/components/all_cases/all_cases_list.tsx @@ -25,9 +25,9 @@ import { CasesTableFilters } from './table_filters'; import { EuiBasicTableOnChange } from './types'; import { CasesTable } from './table'; -import { useConnectors } from '../../containers/configure/use_connectors'; import { useCasesContext } from '../cases_context/use_cases_context'; import { CasesMetrics } from './cases_metrics'; +import { useGetConnectors } from '../../containers/configure/use_connectors'; const ProgressLoader = styled(EuiProgress)` ${({ $isShow }: { $isShow: boolean }) => @@ -55,10 +55,11 @@ export interface AllCasesListProps { export const AllCasesList = React.memo( ({ hiddenStatuses = [], isSelectorView = false, onRowClick, doRefresh }) => { const { owner, userCanCrud } = useCasesContext(); - const hasOwner = !!owner.length; const availableSolutions = useAvailableCasesOwners(); const [refresh, setRefresh] = useState(0); + const hasOwner = !!owner.length; + const firstAvailableStatus = head(difference(caseStatuses, hiddenStatuses)); const initialFilterOptions = { ...(!isEmpty(hiddenStatuses) && firstAvailableStatus && { status: firstAvailableStatus }), @@ -78,7 +79,7 @@ export const AllCasesList = React.memo( setSelectedCases, } = useGetCases({ initialFilterOptions }); - const { connectors } = useConnectors(); + const { data: connectors = [] } = useGetConnectors(); const sorting = useMemo( () => ({ diff --git a/x-pack/plugins/cases/public/components/all_cases/index.test.tsx b/x-pack/plugins/cases/public/components/all_cases/index.test.tsx index 474e84598de06..5a2fb7b47f92c 100644 --- a/x-pack/plugins/cases/public/components/all_cases/index.test.tsx +++ b/x-pack/plugins/cases/public/components/all_cases/index.test.tsx @@ -14,11 +14,11 @@ import { TestProviders } from '../../common/mock'; import { useGetTags } from '../../containers/use_get_tags'; import { useGetReporters } from '../../containers/use_get_reporters'; import { useGetActionLicense } from '../../containers/use_get_action_license'; -import { useConnectors } from '../../containers/configure/use_connectors'; import { CaseStatuses } from '../../../common/api'; import { casesStatus, connectorsMock, useGetCasesMockState } from '../../containers/mock'; import { useGetCases } from '../../containers/use_get_cases'; import { useGetCasesStatus } from '../../containers/use_get_cases_status'; +import { useGetConnectors } from '../../containers/configure/use_connectors'; jest.mock('../../containers/use_get_reporters'); jest.mock('../../containers/use_get_tags'); @@ -28,7 +28,7 @@ jest.mock('../../containers/api'); jest.mock('../../containers/use_get_cases'); jest.mock('../../containers/use_get_cases_status'); -const useConnectorsMock = useConnectors as jest.Mock; +const useGetConnectorsMock = useGetConnectors as jest.Mock; const useGetCasesMock = useGetCases as jest.Mock; const useGetCasesStatusMock = useGetCasesStatus as jest.Mock; const useGetActionLicenseMock = useGetActionLicense as jest.Mock; @@ -58,7 +58,7 @@ describe('AllCases', () => { }; const defaultActionLicense = { - actionLicense: null, + data: null, isLoading: false, isError: false, }; @@ -72,11 +72,7 @@ describe('AllCases', () => { isError: false, fetchReporters: jest.fn(), }); - (useGetActionLicense as jest.Mock).mockReturnValue({ - actionLicense: null, - isLoading: false, - }); - useConnectorsMock.mockImplementation(() => ({ connectors: connectorsMock, loading: false })); + useGetConnectorsMock.mockImplementation(() => ({ data: connectorsMock, isLoading: false })); useGetCasesStatusMock.mockReturnValue(defaultCasesStatus); useGetActionLicenseMock.mockReturnValue(defaultActionLicense); useGetCasesMock.mockReturnValue(defaultGetCases); @@ -150,7 +146,7 @@ describe('AllCases', () => { it('should not allow the user to enter configuration page with basic license', async () => { useGetActionLicenseMock.mockReturnValue({ ...defaultActionLicense, - actionLicense: { + data: { id: '.jira', name: 'Jira', minimumLicenseRequired: 'gold', @@ -176,7 +172,7 @@ describe('AllCases', () => { it('should allow the user to enter configuration page with gold license and above', async () => { useGetActionLicenseMock.mockReturnValue({ ...defaultActionLicense, - actionLicense: { + data: { id: '.jira', name: 'Jira', minimumLicenseRequired: 'gold', diff --git a/x-pack/plugins/cases/public/components/all_cases/index.tsx b/x-pack/plugins/cases/public/components/all_cases/index.tsx index c2811df9a684d..465806135a096 100644 --- a/x-pack/plugins/cases/public/components/all_cases/index.tsx +++ b/x-pack/plugins/cases/public/components/all_cases/index.tsx @@ -18,7 +18,7 @@ export const AllCases: React.FC = () => { const { userCanCrud } = useCasesContext(); useCasesBreadcrumbs(CasesDeepLinkId.cases); - const { actionLicense } = useGetActionLicense(); + const { data: actionLicense = null } = useGetActionLicense(); const actionsErrors = useMemo(() => getActionLicenseError(actionLicense), [actionLicense]); return ( diff --git a/x-pack/plugins/cases/public/components/all_cases/selector_modal/all_cases_selector_modal.tsx b/x-pack/plugins/cases/public/components/all_cases/selector_modal/all_cases_selector_modal.tsx index 581ecef47ad88..173d4ec76b230 100644 --- a/x-pack/plugins/cases/public/components/all_cases/selector_modal/all_cases_selector_modal.tsx +++ b/x-pack/plugins/cases/public/components/all_cases/selector_modal/all_cases_selector_modal.tsx @@ -15,9 +15,11 @@ import { EuiModalHeaderTitle, } from '@elastic/eui'; import styled from 'styled-components'; +import { QueryClientProvider } from 'react-query'; import { Case, CaseStatusWithAllStatus } from '../../../../common/ui/types'; import * as i18n from '../../../common/translations'; import { AllCasesList } from '../all_cases_list'; +import { casesQueryClient } from '../../cases_context/query_client'; export interface AllCasesSelectorModalProps { hiddenStatuses?: CaseStatusWithAllStatus[]; @@ -53,23 +55,25 @@ export const AllCasesSelectorModal = React.memo( ); return isModalOpen ? ( - - - {i18n.SELECT_CASE_TITLE} - - - - - - - {i18n.CANCEL} - - - + + + + {i18n.SELECT_CASE_TITLE} + + + + + + + {i18n.CANCEL} + + + + ) : null; } ); diff --git a/x-pack/plugins/cases/public/components/case_action_bar/index.test.tsx b/x-pack/plugins/cases/public/components/case_action_bar/index.test.tsx index 97a61876f0c67..1142f7f27ccf3 100644 --- a/x-pack/plugins/cases/public/components/case_action_bar/index.test.tsx +++ b/x-pack/plugins/cases/public/components/case_action_bar/index.test.tsx @@ -13,8 +13,10 @@ import { basicCase, caseUserActions, getAlertUserAction } from '../../containers import { CaseActionBar, CaseActionBarProps } from '.'; import { TestProviders } from '../../common/mock'; import { useGetCaseUserActions } from '../../containers/use_get_case_user_actions'; +import { useRefreshCaseViewPage } from '../case_view/use_on_refresh_case_view_page'; jest.mock('../../containers/use_get_case_user_actions'); +jest.mock('../case_view/use_on_refresh_case_view_page'); const useGetCaseUserActionsMock = useGetCaseUserActions as jest.Mock; const defaultUseGetCaseUserActions = { @@ -29,7 +31,6 @@ const defaultUseGetCaseUserActions = { }; describe('CaseActionBar', () => { - const onRefresh = jest.fn(); const onUpdateField = jest.fn(); const defaultProps = { allCasesNavigation: { @@ -39,7 +40,6 @@ describe('CaseActionBar', () => { caseData: basicCase, disableAlerting: false, isLoading: false, - onRefresh, onUpdateField, currentExternalIncident: null, userCanCrud: true, @@ -51,7 +51,7 @@ describe('CaseActionBar', () => { useGetCaseUserActionsMock.mockReturnValue(defaultUseGetCaseUserActions); }); - it('it renders', () => { + it('renders', () => { const wrapper = mount( @@ -81,7 +81,7 @@ describe('CaseActionBar', () => { expect(wrapper.find(`[data-test-subj="case-view-action-bar-spinner"]`).exists()).toBeTruthy(); }); - it('it should show correct status', () => { + it('should show correct status', () => { const wrapper = mount( @@ -93,7 +93,7 @@ describe('CaseActionBar', () => { ); }); - it('it should show the correct date', () => { + it('should show the correct date', () => { const wrapper = mount( @@ -105,7 +105,7 @@ describe('CaseActionBar', () => { ); }); - it('it call onRefresh', () => { + it('invalidates the queryClient cache onRefresh', () => { const wrapper = mount( @@ -113,10 +113,11 @@ describe('CaseActionBar', () => { ); wrapper.find(`[data-test-subj="case-refresh"]`).first().simulate('click'); - expect(onRefresh).toHaveBeenCalled(); + + expect(useRefreshCaseViewPage()).toHaveBeenCalled(); }); - it('it should call onUpdateField when changing status', () => { + it('should call onUpdateField when changing status', () => { const wrapper = mount( @@ -131,7 +132,7 @@ describe('CaseActionBar', () => { expect(onUpdateField).toHaveBeenCalledWith({ key: 'status', value: 'in-progress' }); }); - it('it should call onUpdateField when changing syncAlerts setting', () => { + it('should call onUpdateField when changing syncAlerts setting', () => { const wrapper = mount( diff --git a/x-pack/plugins/cases/public/components/case_action_bar/index.tsx b/x-pack/plugins/cases/public/components/case_action_bar/index.tsx index c14c1c2d0498d..5af9835605de9 100644 --- a/x-pack/plugins/cases/public/components/case_action_bar/index.tsx +++ b/x-pack/plugins/cases/public/components/case_action_bar/index.tsx @@ -28,6 +28,7 @@ import type { OnUpdateFields } from '../case_view/types'; import { useCasesFeatures } from '../cases_context/use_cases_features'; import { FormattedRelativePreferenceDate } from '../formatted_date'; import { getStatusDate, getStatusTitle } from './helpers'; +import { useRefreshCaseViewPage } from '../case_view/use_on_refresh_case_view_page'; const MyDescriptionList = styled(EuiDescriptionList)` ${({ theme }) => css` @@ -46,19 +47,18 @@ export interface CaseActionBarProps { caseData: Case; userCanCrud: boolean; isLoading: boolean; - onRefresh: () => void; onUpdateField: (args: OnUpdateFields) => void; } const CaseActionBarComponent: React.FC = ({ caseData, userCanCrud, isLoading, - onRefresh, onUpdateField, }) => { const { isSyncAlertsEnabled, metricsFeatures } = useCasesFeatures(); const date = useMemo(() => getStatusDate(caseData), [caseData]); const title = useMemo(() => getStatusTitle(caseData.status), [caseData.status]); + const refreshCaseViewPage = useRefreshCaseViewPage(); const onStatusChanged = useCallback( (status: CaseStatuses) => onUpdateField({ @@ -166,7 +166,7 @@ const CaseActionBarComponent: React.FC = ({ data-test-subj="case-refresh" flush="left" iconType="refresh" - onClick={onRefresh} + onClick={refreshCaseViewPage} > {i18n.CASE_REFRESH} diff --git a/x-pack/plugins/cases/public/components/case_view/__mocks__/use_on_refresh_case_view_page.tsx b/x-pack/plugins/cases/public/components/case_view/__mocks__/use_on_refresh_case_view_page.tsx new file mode 100644 index 0000000000000..bf2949db034bb --- /dev/null +++ b/x-pack/plugins/cases/public/components/case_view/__mocks__/use_on_refresh_case_view_page.tsx @@ -0,0 +1,9 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +const refreshFunction = jest.fn(); +export const useRefreshCaseViewPage = () => refreshFunction; diff --git a/x-pack/plugins/cases/public/components/case_view/case_view_page.test.tsx b/x-pack/plugins/cases/public/components/case_view/case_view_page.test.tsx index 70738bc44feff..4d00426339c03 100644 --- a/x-pack/plugins/cases/public/components/case_view/case_view_page.test.tsx +++ b/x-pack/plugins/cases/public/components/case_view/case_view_page.test.tsx @@ -13,7 +13,7 @@ import { ConnectorTypes } from '../../../common/api'; import { AppMockRenderer, createAppMockRenderer, TestProviders } from '../../common/mock'; import '../../common/mock/match_media'; import { useCaseViewNavigation, useUrlParams } from '../../common/navigation/hooks'; -import { useConnectors } from '../../containers/configure/use_connectors'; +import { useGetConnectors } from '../../containers/configure/use_connectors'; import { basicCaseClosed, basicCaseMetrics, @@ -43,7 +43,7 @@ const useUrlParamsMock = useUrlParams as jest.Mock; const useCaseViewNavigationMock = useCaseViewNavigation as jest.Mock; const useUpdateCaseMock = useUpdateCase as jest.Mock; const useGetCaseUserActionsMock = useGetCaseUserActions as jest.Mock; -const useConnectorsMock = useConnectors as jest.Mock; +const useGetConnectorsMock = useGetConnectors as jest.Mock; const usePostPushToServiceMock = usePostPushToService as jest.Mock; const useGetCaseMetricsMock = useGetCaseMetrics as jest.Mock; @@ -101,7 +101,7 @@ describe('CaseViewPage', () => { useGetCaseMetricsMock.mockReturnValue(defaultGetCaseMetrics); useGetCaseUserActionsMock.mockReturnValue(defaultUseGetCaseUserActions); usePostPushToServiceMock.mockReturnValue({ isLoading: false, pushCaseToExternalService }); - useConnectorsMock.mockReturnValue({ connectors: connectorsMock, loading: false }); + useGetConnectorsMock.mockReturnValue({ data: connectorsMock, isLoading: false }); }); it('should render CaseViewPage', async () => { @@ -531,7 +531,7 @@ describe('CaseViewPage', () => { }); it('should show the correct connector name on the push button', async () => { - useConnectorsMock.mockImplementation(() => ({ connectors: connectorsMock, loading: false })); + useGetConnectorsMock.mockImplementation(() => ({ data: connectorsMock, isLoading: false })); useGetCaseUserActionsMock.mockImplementation(() => ({ ...defaultUseGetCaseUserActions, data: { @@ -559,7 +559,7 @@ describe('CaseViewPage', () => { describe('Callouts', () => { it('it shows the danger callout when a connector has been deleted', async () => { - useConnectorsMock.mockImplementation(() => ({ connectors: [], loading: false })); + useGetConnectorsMock.mockImplementation(() => ({ data: [], isLoading: false })); const wrapper = mount( @@ -573,7 +573,7 @@ describe('CaseViewPage', () => { }); it('it does NOT shows the danger callout when connectors are loading', async () => { - useConnectorsMock.mockImplementation(() => ({ connectors: [], loading: true })); + useGetConnectorsMock.mockImplementation(() => ({ data: [], isLoading: true })); const wrapper = mount( diff --git a/x-pack/plugins/cases/public/components/case_view/case_view_page.tsx b/x-pack/plugins/cases/public/components/case_view/case_view_page.tsx index 885310e48fbf7..2a21034a5eaf3 100644 --- a/x-pack/plugins/cases/public/components/case_view/case_view_page.tsx +++ b/x-pack/plugins/cases/public/components/case_view/case_view_page.tsx @@ -7,10 +7,8 @@ import { EuiBetaBadge, EuiFlexGroup, EuiFlexItem, EuiSpacer, EuiTab, EuiTabs } from '@elastic/eui'; import React, { useCallback, useEffect, useMemo, useRef } from 'react'; -import { useQueryClient } from 'react-query'; import styled from 'styled-components'; import { useCaseViewNavigation, useUrlParams } from '../../common/navigation'; -import { CASE_VIEW_CACHE_KEY } from '../../containers/constants'; import { useCasesContext } from '../cases_context/use_cases_context'; import { CaseActionBar } from '../case_action_bar'; import { HeaderPage } from '../header_page'; @@ -24,6 +22,7 @@ import { CaseViewAlerts } from './components/case_view_alerts'; import { CaseViewMetrics } from './metrics'; import { ACTIVITY_TAB, ALERTS_TAB } from './translations'; import { CaseViewPageProps, CASE_VIEW_PAGE_TABS } from './types'; +import { useRefreshCaseViewPage } from './use_on_refresh_case_view_page'; import { useOnUpdateField } from './use_on_update_field'; const ExperimentalBadge = styled(EuiBetaBadge)` @@ -34,7 +33,6 @@ export const CaseViewPage = React.memo( ({ caseData, caseId, - fetchCase, onComponentInitialized, refreshRef, ruleDetailsNavigation, @@ -45,7 +43,7 @@ export const CaseViewPage = React.memo( const { userCanCrud, features } = useCasesContext(); const { navigateToCaseView } = useCaseViewNavigation(); const { urlParams } = useUrlParams(); - const queryClient = useQueryClient(); + const refreshCaseViewPage = useRefreshCaseViewPage(); useCasesTitleBreadcrumbs(caseData.title); @@ -59,14 +57,9 @@ export const CaseViewPage = React.memo( const init = useRef(true); const timelineUi = useTimelineContext()?.ui; - const handleRefresh = useCallback(() => { - queryClient.invalidateQueries(CASE_VIEW_CACHE_KEY); - }, [queryClient]); - const { onUpdateField, isLoading, loadingKey } = useOnUpdateField({ caseId, caseData, - handleUpdateField: handleRefresh, }); // Set `refreshRef` if needed @@ -79,7 +72,7 @@ export const CaseViewPage = React.memo( if (isStale || isLoading) { return; } - handleRefresh(); + refreshCaseViewPage(); }, }; return () => { @@ -87,7 +80,7 @@ export const CaseViewPage = React.memo( refreshRef.current = null; }; } - }, [fetchCase, isLoading, refreshRef, handleRefresh]); + }, [isLoading, refreshRef, refreshCaseViewPage]); const onSubmitTitle = useCallback( (newTitle) => @@ -119,7 +112,6 @@ export const CaseViewPage = React.memo( caseData={caseData} actionsNavigation={actionsNavigation} showAlertDetails={showAlertDetails} - updateCase={fetchCase} useFetchAlertData={useFetchAlertData} /> ), @@ -149,7 +141,6 @@ export const CaseViewPage = React.memo( actionsNavigation, caseData, features.alerts.enabled, - fetchCase, ruleDetailsNavigation, showAlertDetails, useFetchAlertData, @@ -192,7 +183,6 @@ export const CaseViewPage = React.memo( caseData={caseData} userCanCrud={userCanCrud} isLoading={isLoading && (loadingKey === 'status' || loadingKey === 'settings')} - onRefresh={handleRefresh} onUpdateField={onUpdateField} /> diff --git a/x-pack/plugins/cases/public/components/case_view/components/case_view_activity.test.tsx b/x-pack/plugins/cases/public/components/case_view/components/case_view_activity.test.tsx index e3aa9fa9d7f8a..89faa14a53d24 100644 --- a/x-pack/plugins/cases/public/components/case_view/components/case_view_activity.test.tsx +++ b/x-pack/plugins/cases/public/components/case_view/components/case_view_activity.test.tsx @@ -19,10 +19,10 @@ import { ConnectorTypes } from '../../../../common/api/connectors'; import { Case } from '../../../../common'; import { CaseViewProps } from '../types'; import { useGetCaseUserActions } from '../../../containers/use_get_case_user_actions'; -import { useConnectors } from '../../../containers/configure/use_connectors'; import { usePostPushToService } from '../../../containers/use_post_push_to_service'; -import { useGetActionLicense } from '../../../containers/use_get_action_license'; import { useGetTags } from '../../../containers/use_get_tags'; +import { useGetActionLicense } from '../../../containers/use_get_action_license'; +import { useGetConnectors } from '../../../containers/configure/use_connectors'; jest.mock('../../../containers/use_get_case_user_actions'); jest.mock('../../../containers/configure/use_connectors'); @@ -34,7 +34,7 @@ jest.mock('../../../containers/use_get_tags'); (useGetTags as jest.Mock).mockReturnValue({ tags: ['coke', 'pepsi'], fetchTags: jest.fn() }); (useGetActionLicense as jest.Mock).mockReturnValue({ - actionLicense: null, + data: null, isLoading: false, }); @@ -86,18 +86,17 @@ const defaultUseGetCaseUserActions = { export const caseProps = { ...caseViewProps, caseData, - updateCase: jest.fn(), fetchCaseMetrics: jest.fn(), }; const useGetCaseUserActionsMock = useGetCaseUserActions as jest.Mock; -const useConnectorsMock = useConnectors as jest.Mock; +const useGetConnectorsMock = useGetConnectors as jest.Mock; const usePostPushToServiceMock = usePostPushToService as jest.Mock; describe('Case View Page activity tab', () => { beforeAll(() => { useGetCaseUserActionsMock.mockReturnValue(defaultUseGetCaseUserActions); - useConnectorsMock.mockReturnValue({ connectors: connectorsMock, loading: false }); + useGetConnectorsMock.mockReturnValue({ data: connectorsMock, isLoading: false }); usePostPushToServiceMock.mockReturnValue({ isLoading: false, pushCaseToExternalService }); }); let appMockRender: AppMockRenderer; diff --git a/x-pack/plugins/cases/public/components/case_view/components/case_view_activity.tsx b/x-pack/plugins/cases/public/components/case_view/components/case_view_activity.tsx index 1fe282a304ad9..57b994b733620 100644 --- a/x-pack/plugins/cases/public/components/case_view/components/case_view_activity.tsx +++ b/x-pack/plugins/cases/public/components/case_view/components/case_view_activity.tsx @@ -7,12 +7,10 @@ import { EuiFlexGroup, EuiFlexItem, EuiLoadingContent } from '@elastic/eui'; import React, { useCallback, useMemo } from 'react'; -import { useQueryClient } from 'react-query'; -import { CASE_VIEW_CACHE_KEY } from '../../../containers/constants'; +import { useGetConnectors } from '../../../containers/configure/use_connectors'; import { CaseSeverity } from '../../../../common/api'; -import { useConnectors } from '../../../containers/configure/use_connectors'; import { useCaseViewNavigation } from '../../../common/navigation'; -import { UpdateKey, UseFetchAlertData } from '../../../../common/ui/types'; +import { UseFetchAlertData } from '../../../../common/ui/types'; import { Case, CaseStatuses } from '../../../../common'; import { EditConnector } from '../../edit_connector'; import { CasesNavigation } from '../../links'; @@ -33,25 +31,21 @@ export const CaseViewActivity = ({ caseData, actionsNavigation, showAlertDetails, - updateCase, useFetchAlertData, }: { ruleDetailsNavigation?: CasesNavigation; caseData: Case; actionsNavigation?: CasesNavigation; showAlertDetails?: (alertId: string, index: string) => void; - updateCase: () => void; useFetchAlertData: UseFetchAlertData; }) => { const { userCanCrud } = useCasesContext(); const { getCaseViewUrl } = useCaseViewNavigation(); - const queryClient = useQueryClient(); - const { - data: userActionsData, - refetch: fetchCaseUserActions, - isLoading: isLoadingUserActions, - } = useGetCaseUserActions(caseData.id, caseData.connector.id); + const { data: userActionsData, isLoading: isLoadingUserActions } = useGetCaseUserActions( + caseData.id, + caseData.connector.id + ); const onShowAlertDetails = useCallback( (alertId: string, index: string) => { @@ -62,17 +56,9 @@ export const CaseViewActivity = ({ [showAlertDetails] ); - const handleUpdateField = useCallback( - (_newCase: Case, _updateKey: UpdateKey) => { - queryClient.invalidateQueries(CASE_VIEW_CACHE_KEY); - }, - [queryClient] - ); - const { onUpdateField, isLoading, loadingKey } = useOnUpdateField({ caseId: caseData.id, caseData, - handleUpdateField, }); const changeStatus = useCallback( @@ -102,21 +88,13 @@ export const CaseViewActivity = ({ [onUpdateField] ); - const { loading: isLoadingConnectors, connectors } = useConnectors(); + const { isLoading: isLoadingConnectors, data: connectors = [] } = useGetConnectors(); const [connectorName, isValidConnector] = useMemo(() => { const connector = connectors.find((c) => c.id === caseData.connector.id); return [connector?.name ?? '', !!connector]; }, [connectors, caseData.connector]); - const handleUpdateCase = useCallback( - (_newCase: Case) => { - updateCase(); - fetchCaseUserActions(); - }, - [updateCase, fetchCaseUserActions] - ); - const onSubmitConnector = useCallback( (connectorId, connectorFields, onError, onSuccess) => { const connector = getConnectorById(connectorId, connectors); @@ -150,7 +128,6 @@ export const CaseViewActivity = ({ caseUserActions={userActionsData.caseUserActions} data={caseData} actionsNavigation={actionsNavigation} - fetchUserActions={fetchCaseUserActions} isLoadingDescription={isLoading && loadingKey === 'description'} isLoadingUserActions={isLoadingUserActions} onShowAlertDetails={onShowAlertDetails} @@ -164,7 +141,6 @@ export const CaseViewActivity = ({ /> ) : null } - updateCase={updateCase} useFetchAlertData={useFetchAlertData} userCanCrud={userCanCrud} /> @@ -211,7 +187,6 @@ export const CaseViewActivity = ({ isLoading={isLoadingConnectors || (isLoading && loadingKey === 'connector')} isValidConnector={isLoadingConnectors ? true : isValidConnector} onSubmit={onSubmitConnector} - updateCase={handleUpdateCase} userActions={userActionsData.caseUserActions} userCanCrud={userCanCrud} /> diff --git a/x-pack/plugins/cases/public/components/case_view/index.test.tsx b/x-pack/plugins/cases/public/components/case_view/index.test.tsx index b9784c36d1ee6..c915f40aa30c2 100644 --- a/x-pack/plugins/cases/public/components/case_view/index.test.tsx +++ b/x-pack/plugins/cases/public/components/case_view/index.test.tsx @@ -26,7 +26,6 @@ import { useUpdateCase } from '../../containers/use_update_case'; import { UseGetCase, useGetCase } from '../../containers/use_get_case'; import { useGetCaseMetrics } from '../../containers/use_get_case_metrics'; -import { useConnectors } from '../../containers/configure/use_connectors'; import { usePostPushToService } from '../../containers/use_post_push_to_service'; import { ConnectorTypes } from '../../../common/api'; import { Case } from '../../../common/ui'; @@ -34,6 +33,7 @@ import { useKibana } from '../../common/lib/kibana'; import { useGetCaseUserActions } from '../../containers/use_get_case_user_actions'; import { QueryClient, QueryClientProvider } from 'react-query'; import { CASE_VIEW_CACHE_KEY } from '../../containers/constants'; +import { useGetConnectors } from '../../containers/configure/use_connectors'; jest.mock('../../containers/use_update_case'); jest.mock('../../containers/use_get_case_user_actions'); @@ -50,7 +50,7 @@ const useFetchCaseMock = useGetCase as jest.Mock; const useGetCaseMetricsMock = useGetCaseMetrics as jest.Mock; const useUpdateCaseMock = useUpdateCase as jest.Mock; const useGetCaseUserActionsMock = useGetCaseUserActions as jest.Mock; -const useConnectorsMock = useConnectors as jest.Mock; +const useGetConnectorsMock = useGetConnectors as jest.Mock; const usePostPushToServiceMock = usePostPushToService as jest.Mock; const useKibanaMock = useKibana as jest.MockedFunction; @@ -183,7 +183,7 @@ describe('CaseView', () => { useUpdateCaseMock.mockReturnValue(defaultUpdateCaseState); useGetCaseUserActionsMock.mockReturnValue(defaultUseGetCaseUserActions); usePostPushToServiceMock.mockReturnValue({ isLoading: false, pushCaseToExternalService }); - useConnectorsMock.mockReturnValue({ connectors: connectorsMock, loading: false }); + useGetConnectorsMock.mockReturnValue({ data: connectorsMock, isLoading: false }); useKibanaMock().services.spaces = { ui: spacesUiApiMock } as unknown as SpacesApi; }); diff --git a/x-pack/plugins/cases/public/components/case_view/use_on_refresh_case_view_page.tsx b/x-pack/plugins/cases/public/components/case_view/use_on_refresh_case_view_page.tsx new file mode 100644 index 0000000000000..9d2e606192c85 --- /dev/null +++ b/x-pack/plugins/cases/public/components/case_view/use_on_refresh_case_view_page.tsx @@ -0,0 +1,25 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { useCallback } from 'react'; +import { useQueryClient } from 'react-query'; +import { CASE_VIEW_CACHE_KEY } from '../../containers/constants'; + +/** + * Using react-query queryClient to invalidate all the + * case view page cache namespace. + * + * This effectively clears the cache for all the case view pages and + * forces the page to fetch all the data again. Including + * metrics, actions, comments, etc. + */ +export const useRefreshCaseViewPage = () => { + const queryClient = useQueryClient(); + return useCallback(() => { + queryClient.invalidateQueries(CASE_VIEW_CACHE_KEY); + }, [queryClient]); +}; diff --git a/x-pack/plugins/cases/public/components/case_view/use_on_update_field.ts b/x-pack/plugins/cases/public/components/case_view/use_on_update_field.ts index 9820de137760a..3b65e9b767d20 100644 --- a/x-pack/plugins/cases/public/components/case_view/use_on_update_field.ts +++ b/x-pack/plugins/cases/public/components/case_view/use_on_update_field.ts @@ -14,15 +14,7 @@ import { useUpdateCase } from '../../containers/use_update_case'; import { getTypedPayload } from '../../containers/utils'; import { OnUpdateFields } from './types'; -export const useOnUpdateField = ({ - caseData, - caseId, - handleUpdateField, -}: { - caseData: Case; - caseId: string; - handleUpdateField: (newCase: Case, updateKey: UpdateKey) => void; -}) => { +export const useOnUpdateField = ({ caseData, caseId }: { caseData: Case; caseId: string }) => { const { isLoading, updateKey: loadingKey, updateCaseProperty } = useUpdateCase({ caseId }); const onUpdateField = useCallback( @@ -31,7 +23,6 @@ export const useOnUpdateField = ({ updateCaseProperty({ updateKey, updateValue, - updateCase: (newCase) => handleUpdateField(newCase, updateKey), caseData, onSuccess, onError, @@ -81,7 +72,7 @@ export const useOnUpdateField = ({ return null; } }, - [updateCaseProperty, handleUpdateField, caseData] + [updateCaseProperty, caseData] ); return { onUpdateField, isLoading, loadingKey }; }; diff --git a/x-pack/plugins/cases/public/components/configure_cases/__mock__/index.tsx b/x-pack/plugins/cases/public/components/configure_cases/__mock__/index.tsx index 46dbbdbe9a196..cc76bdfcd2f7d 100644 --- a/x-pack/plugins/cases/public/components/configure_cases/__mock__/index.tsx +++ b/x-pack/plugins/cases/public/components/configure_cases/__mock__/index.tsx @@ -7,9 +7,7 @@ import { ActionTypeConnector, ConnectorTypes } from '../../../../common/api'; import { ActionConnector } from '../../../containers/configure/types'; -import { UseConnectorsResponse } from '../../../containers/configure/use_connectors'; import { ReturnUseCaseConfigure } from '../../../containers/configure/use_configure'; -import { UseActionTypesResponse } from '../../../containers/configure/use_action_types'; import { connectorsMock, actionTypesMock } from '../../../common/mock/connectors'; export { mappings } from '../../../containers/configure/mock'; @@ -50,14 +48,14 @@ export const useCaseConfigureResponse: ReturnUseCaseConfigure = { id: '', }; -export const useConnectorsResponse: UseConnectorsResponse = { - loading: false, - connectors, - refetchConnectors: jest.fn(), +export const useConnectorsResponse = { + isLoading: false, + data: connectors, + refetch: jest.fn(), }; -export const useActionTypesResponse: UseActionTypesResponse = { - loading: false, - actionTypes: actionTypesMock, - refetchActionTypes: jest.fn(), +export const useActionTypesResponse = { + isLoading: false, + data: actionTypesMock, + refetch: jest.fn(), }; diff --git a/x-pack/plugins/cases/public/components/configure_cases/index.test.tsx b/x-pack/plugins/cases/public/components/configure_cases/index.test.tsx index 2ee1c328f4699..888ac6576ec23 100644 --- a/x-pack/plugins/cases/public/components/configure_cases/index.test.tsx +++ b/x-pack/plugins/cases/public/components/configure_cases/index.test.tsx @@ -15,9 +15,7 @@ import { Connectors } from './connectors'; import { ClosureOptions } from './closure_options'; import { useKibana } from '../../common/lib/kibana'; -import { useConnectors } from '../../containers/configure/use_connectors'; import { useCaseConfigure } from '../../containers/configure/use_configure'; -import { useActionTypes } from '../../containers/configure/use_action_types'; import { connectors, @@ -28,6 +26,8 @@ import { } from './__mock__'; import { ConnectorTypes } from '../../../common/api'; import { actionTypeRegistryMock } from '@kbn/triggers-actions-ui-plugin/public/application/action_type_registry.mock'; +import { useGetActionTypes } from '../../containers/configure/use_action_types'; +import { useGetConnectors } from '../../containers/configure/use_connectors'; jest.mock('../../common/lib/kibana'); jest.mock('../../containers/configure/use_connectors'); @@ -35,10 +35,10 @@ jest.mock('../../containers/configure/use_configure'); jest.mock('../../containers/configure/use_action_types'); const useKibanaMock = useKibana as jest.Mocked; -const useConnectorsMock = useConnectors as jest.Mock; +const useGetConnectorsMock = useGetConnectors as jest.Mock; const useCaseConfigureMock = useCaseConfigure as jest.Mock; const useGetUrlSearchMock = jest.fn(); -const useActionTypesMock = useActionTypes as jest.Mock; +const useGetActionTypesMock = useGetActionTypes as jest.Mock; const getAddConnectorFlyoutMock = jest.fn(); const getEditConnectorFlyoutMock = jest.fn(); @@ -57,14 +57,14 @@ describe('ConfigureCases', () => { }); beforeEach(() => { - useActionTypesMock.mockImplementation(() => useActionTypesResponse); + useGetActionTypesMock.mockImplementation(() => useActionTypesResponse); }); describe('rendering', () => { let wrapper: ReactWrapper; beforeEach(() => { useCaseConfigureMock.mockImplementation(() => useCaseConfigureResponse); - useConnectorsMock.mockImplementation(() => ({ ...useConnectorsResponse, connectors: [] })); + useGetConnectorsMock.mockImplementation(() => ({ ...useConnectorsResponse, data: [] })); useGetUrlSearchMock.mockImplementation(() => searchURL); wrapper = mount(, { @@ -118,7 +118,7 @@ describe('ConfigureCases', () => { closureType: 'close-by-user', }, })); - useConnectorsMock.mockImplementation(() => ({ ...useConnectorsResponse, connectors: [] })); + useGetConnectorsMock.mockImplementation(() => ({ ...useConnectorsResponse, data: [] })); useGetUrlSearchMock.mockImplementation(() => searchURL); wrapper = mount(, { wrappingComponent: TestProviders, @@ -164,7 +164,7 @@ describe('ConfigureCases', () => { closureType: 'close-by-user', }, })); - useConnectorsMock.mockImplementation(() => useConnectorsResponse); + useGetConnectorsMock.mockImplementation(() => useConnectorsResponse); useGetUrlSearchMock.mockImplementation(() => searchURL); wrapper = mount(, { @@ -246,9 +246,9 @@ describe('ConfigureCases', () => { }, })); - useConnectorsMock.mockImplementation(() => ({ + useGetConnectorsMock.mockImplementation(() => ({ ...useConnectorsResponse, - loading: true, + isLoading: true, })); useGetUrlSearchMock.mockImplementation(() => searchURL); @@ -280,12 +280,15 @@ describe('ConfigureCases', () => { }); test('it shows isLoading when loading action types', () => { - useConnectorsMock.mockImplementation(() => ({ + useGetConnectorsMock.mockImplementation(() => ({ ...useConnectorsResponse, - loading: false, + isLoading: false, })); - useActionTypesMock.mockImplementation(() => ({ ...useActionTypesResponse, loading: true })); + useGetActionTypesMock.mockImplementation(() => ({ + ...useActionTypesResponse, + isLoading: true, + })); wrapper = mount(, { wrappingComponent: TestProviders, @@ -309,7 +312,7 @@ describe('ConfigureCases', () => { persistLoading: true, })); - useConnectorsMock.mockImplementation(() => useConnectorsResponse); + useGetConnectorsMock.mockImplementation(() => useConnectorsResponse); useGetUrlSearchMock.mockImplementation(() => searchURL); wrapper = mount(, { wrappingComponent: TestProviders, @@ -350,7 +353,7 @@ describe('ConfigureCases', () => { ...useCaseConfigureResponse, loading: true, })); - useConnectorsMock.mockImplementation(() => ({ + useGetConnectorsMock.mockImplementation(() => ({ ...useConnectorsResponse, })); useGetUrlSearchMock.mockImplementation(() => searchURL); @@ -395,7 +398,7 @@ describe('ConfigureCases', () => { }, persistCaseConfigure, })); - useConnectorsMock.mockImplementation(() => useConnectorsResponse); + useGetConnectorsMock.mockImplementation(() => useConnectorsResponse); useGetUrlSearchMock.mockImplementation(() => searchURL); wrapper = mount(, { @@ -486,7 +489,7 @@ describe('ConfigureCases', () => { }, persistCaseConfigure, })); - useConnectorsMock.mockImplementation(() => useConnectorsResponse); + useGetConnectorsMock.mockImplementation(() => useConnectorsResponse); useGetUrlSearchMock.mockImplementation(() => searchURL); wrapper = mount(, { @@ -533,7 +536,7 @@ describe('ConfigureCases', () => { closureType: 'close-by-user', }, })); - useConnectorsMock.mockImplementation(() => useConnectorsResponse); + useGetConnectorsMock.mockImplementation(() => useConnectorsResponse); useGetUrlSearchMock.mockImplementation(() => searchURL); }); diff --git a/x-pack/plugins/cases/public/components/configure_cases/index.tsx b/x-pack/plugins/cases/public/components/configure_cases/index.tsx index 61172b9998667..16773306d6bef 100644 --- a/x-pack/plugins/cases/public/components/configure_cases/index.tsx +++ b/x-pack/plugins/cases/public/components/configure_cases/index.tsx @@ -15,8 +15,7 @@ import { EuiCallOut, EuiLink } from '@elastic/eui'; import { ActionConnectorTableItem } from '@kbn/triggers-actions-ui-plugin/public/types'; import { SUPPORTED_CONNECTORS } from '../../../common/constants'; import { useKibana } from '../../common/lib/kibana'; -import { useConnectors } from '../../containers/configure/use_connectors'; -import { useActionTypes } from '../../containers/configure/use_action_types'; +import { useGetActionTypes } from '../../containers/configure/use_action_types'; import { useCaseConfigure } from '../../containers/configure/use_configure'; import { ClosureType } from '../../containers/configure/types'; @@ -31,6 +30,7 @@ import { HeaderPage } from '../header_page'; import { useCasesContext } from '../cases_context/use_cases_context'; import { useCasesBreadcrumbs } from '../use_breadcrumbs'; import { CasesDeepLinkId } from '../../common/navigation'; +import { useGetConnectors } from '../../containers/configure/use_connectors'; const FormWrapper = styled.div` ${({ theme }) => css` @@ -74,8 +74,17 @@ export const ConfigureCases: React.FC = React.memo(() => { setClosureType, } = useCaseConfigure(); - const { loading: isLoadingConnectors, connectors, refetchConnectors } = useConnectors(); - const { loading: isLoadingActionTypes, actionTypes, refetchActionTypes } = useActionTypes(); + const { + isLoading: isLoadingConnectors, + data: connectors = [], + refetch: refetchConnectors, + } = useGetConnectors(); + const { + isLoading: isLoadingActionTypes, + data: actionTypes = [], + refetch: refetchActionTypes, + } = useGetActionTypes(); + const supportedActionTypes = useMemo( () => actionTypes.filter((actionType) => SUPPORTED_CONNECTORS.includes(actionType.id)), [actionTypes] diff --git a/x-pack/plugins/cases/public/components/create/flyout/create_case_flyout.tsx b/x-pack/plugins/cases/public/components/create/flyout/create_case_flyout.tsx index 6a2ac8e15dedb..148cfa119bebd 100644 --- a/x-pack/plugins/cases/public/components/create/flyout/create_case_flyout.tsx +++ b/x-pack/plugins/cases/public/components/create/flyout/create_case_flyout.tsx @@ -9,11 +9,13 @@ import React from 'react'; import styled, { createGlobalStyle } from 'styled-components'; import { EuiFlyout, EuiFlyoutHeader, EuiTitle, EuiFlyoutBody } from '@elastic/eui'; +import { QueryClientProvider } from 'react-query'; import * as i18n from '../translations'; import { Case } from '../../../../common/ui/types'; import { CreateCaseForm } from '../form'; import { UseCreateAttachments } from '../../../containers/use_create_attachments'; import { CaseAttachments } from '../../../types'; +import { casesQueryClient } from '../../cases_context/query_client'; export interface CreateCaseFlyoutProps { afterCaseCreated?: ( @@ -73,7 +75,7 @@ export const CreateCaseFlyout = React.memo( const handleCancel = onClose || function () {}; const handleOnSuccess = onSuccess || async function () {}; return ( - <> + ( - + ); } ); diff --git a/x-pack/plugins/cases/public/components/create/form.test.tsx b/x-pack/plugins/cases/public/components/create/form.test.tsx index c073e9190b495..d6fc82bbcc5ba 100644 --- a/x-pack/plugins/cases/public/components/create/form.test.tsx +++ b/x-pack/plugins/cases/public/components/create/form.test.tsx @@ -12,13 +12,13 @@ import { act, render } from '@testing-library/react'; import { NONE_CONNECTOR_ID } from '../../../common/api'; import { useForm, Form, FormHook } from '../../common/shared_imports'; import { useGetTags } from '../../containers/use_get_tags'; -import { useConnectors } from '../../containers/configure/use_connectors'; import { connectorsMock } from '../../containers/mock'; import { schema, FormProps } from './schema'; import { CreateCaseForm, CreateCaseFormProps } from './form'; import { useCaseConfigure } from '../../containers/configure/use_configure'; import { useCaseConfigureResponse } from '../configure_cases/__mock__'; import { TestProviders } from '../../common/mock'; +import { useGetConnectors } from '../../containers/configure/use_connectors'; jest.mock('../../containers/use_get_tags'); jest.mock('../../containers/configure/use_connectors'); @@ -29,7 +29,7 @@ jest.mock('../app/use_available_owners', () => ({ })); const useGetTagsMock = useGetTags as jest.Mock; -const useConnectorsMock = useConnectors as jest.Mock; +const useGetConnectorsMock = useGetConnectors as jest.Mock; const useCaseConfigureMock = useCaseConfigure as jest.Mock; const initialCaseValue: FormProps = { @@ -70,7 +70,7 @@ describe('CreateCaseForm', () => { beforeEach(() => { jest.clearAllMocks(); useGetTagsMock.mockReturnValue({ tags: ['test'] }); - useConnectorsMock.mockReturnValue({ loading: false, connectors: connectorsMock }); + useGetConnectorsMock.mockReturnValue({ isLoading: false, data: connectorsMock }); useCaseConfigureMock.mockImplementation(() => useCaseConfigureResponse); }); diff --git a/x-pack/plugins/cases/public/components/create/form_context.test.tsx b/x-pack/plugins/cases/public/components/create/form_context.test.tsx index bfa4f391458da..329a5335f07ee 100644 --- a/x-pack/plugins/cases/public/components/create/form_context.test.tsx +++ b/x-pack/plugins/cases/public/components/create/form_context.test.tsx @@ -16,7 +16,6 @@ import { AppMockRenderer, createAppMockRenderer, TestProviders } from '../../com import { usePostCase } from '../../containers/use_post_case'; import { useCreateAttachments } from '../../containers/use_create_attachments'; import { useGetTags } from '../../containers/use_get_tags'; -import { useConnectors } from '../../containers/configure/use_connectors'; import { useCaseConfigure } from '../../containers/configure/use_configure'; import { useGetIncidentTypes } from '../connectors/resilient/use_get_incident_types'; import { useGetSeverity } from '../connectors/resilient/use_get_severity'; @@ -42,6 +41,7 @@ import { Choice } from '../connectors/servicenow/types'; import userEvent from '@testing-library/user-event'; import { connectorsMock } from '../../common/mock/connectors'; import { CaseAttachments } from '../../types'; +import { useGetConnectors } from '../../containers/configure/use_connectors'; const sampleId = 'case-id'; @@ -60,7 +60,7 @@ jest.mock('../connectors/jira/use_get_issues'); jest.mock('../connectors/servicenow/use_get_choices'); jest.mock('../../common/lib/kibana'); -const useConnectorsMock = useConnectors as jest.Mock; +const useGetConnectorsMock = useGetConnectors as jest.Mock; const useCaseConfigureMock = useCaseConfigure as jest.Mock; const usePostCaseMock = usePostCase as jest.Mock; const useCreateAttachmentsMock = useCreateAttachments as jest.Mock; @@ -145,7 +145,7 @@ describe('Create case', () => { usePostCaseMock.mockImplementation(() => defaultPostCase); useCreateAttachmentsMock.mockImplementation(() => ({ createAttachments })); usePostPushToServiceMock.mockImplementation(() => defaultPostPushToService); - useConnectorsMock.mockReturnValue(sampleConnectorData); + useGetConnectorsMock.mockReturnValue(sampleConnectorData); useCaseConfigureMock.mockImplementation(() => useCaseConfigureResponse); useGetIncidentTypesMock.mockReturnValue(useGetIncidentTypesResponse); useGetSeverityMock.mockReturnValue(useGetSeverityResponse); @@ -190,9 +190,9 @@ describe('Create case', () => { }); it('should post case on submit click', async () => { - useConnectorsMock.mockReturnValue({ + useGetConnectorsMock.mockReturnValue({ ...sampleConnectorData, - connectors: connectorsMock, + data: connectorsMock, }); const renderResult = mockedContext.render( @@ -210,9 +210,9 @@ describe('Create case', () => { }); it('should post a case on submit click with the selected severity', async () => { - useConnectorsMock.mockReturnValue({ + useGetConnectorsMock.mockReturnValue({ ...sampleConnectorData, - connectors: connectorsMock, + data: connectorsMock, }); const renderResult = mockedContext.render( @@ -268,9 +268,9 @@ describe('Create case', () => { }); it('should toggle sync settings', async () => { - useConnectorsMock.mockReturnValue({ + useGetConnectorsMock.mockReturnValue({ ...sampleConnectorData, - connectors: connectorsMock, + data: connectorsMock, }); const wrapper = mount( @@ -292,9 +292,9 @@ describe('Create case', () => { }); it('should set sync alerts to false when the sync feature setting is false', async () => { - useConnectorsMock.mockReturnValue({ + useGetConnectorsMock.mockReturnValue({ ...sampleConnectorData, - connectors: connectorsMock, + data: connectorsMock, }); const wrapper = mount( @@ -338,9 +338,9 @@ describe('Create case', () => { persistLoading: false, })); - useConnectorsMock.mockReturnValue({ + useGetConnectorsMock.mockReturnValue({ ...sampleConnectorData, - connectors: connectorsMock, + data: connectorsMock, }); const wrapper = mount( @@ -388,9 +388,9 @@ describe('Create case', () => { persistLoading: false, })); - useConnectorsMock.mockReturnValue({ + useGetConnectorsMock.mockReturnValue({ ...sampleConnectorData, - connectors: connectorsMock, + data: connectorsMock, }); const wrapper = mount( @@ -413,9 +413,9 @@ describe('Create case', () => { describe('Step 2 - Connector Fields', () => { it(`should submit and push to Jira connector`, async () => { - useConnectorsMock.mockReturnValue({ + useGetConnectorsMock.mockReturnValue({ ...sampleConnectorData, - connectors: connectorsMock, + data: connectorsMock, }); const wrapper = mount( @@ -480,9 +480,9 @@ describe('Create case', () => { }); it(`should submit and push to resilient connector`, async () => { - useConnectorsMock.mockReturnValue({ + useGetConnectorsMock.mockReturnValue({ ...sampleConnectorData, - connectors: connectorsMock, + data: connectorsMock, }); const wrapper = mount( @@ -550,9 +550,9 @@ describe('Create case', () => { }); it(`should submit and push to servicenow itsm connector`, async () => { - useConnectorsMock.mockReturnValue({ + useGetConnectorsMock.mockReturnValue({ ...sampleConnectorData, - connectors: connectorsMock, + data: connectorsMock, }); const wrapper = mount( @@ -645,9 +645,9 @@ describe('Create case', () => { }); it(`should submit and push to servicenow sir connector`, async () => { - useConnectorsMock.mockReturnValue({ + useGetConnectorsMock.mockReturnValue({ ...sampleConnectorData, - connectors: connectorsMock, + data: connectorsMock, }); const wrapper = mount( @@ -748,9 +748,9 @@ describe('Create case', () => { }); it(`should call afterCaseCreated`, async () => { - useConnectorsMock.mockReturnValue({ + useGetConnectorsMock.mockReturnValue({ ...sampleConnectorData, - connectors: connectorsMock, + data: connectorsMock, }); const wrapper = mockedContext.render( @@ -781,9 +781,9 @@ describe('Create case', () => { }); it('should call createAttachments with the attachments after the case is created', async () => { - useConnectorsMock.mockReturnValue({ + useGetConnectorsMock.mockReturnValue({ ...sampleConnectorData, - connectors: connectorsMock, + data: connectorsMock, }); const attachments = [ { @@ -826,9 +826,9 @@ describe('Create case', () => { }); it('should NOT call createAttachments if the attachments are an empty array', async () => { - useConnectorsMock.mockReturnValue({ + useGetConnectorsMock.mockReturnValue({ ...sampleConnectorData, - connectors: connectorsMock, + data: connectorsMock, }); const attachments: CaseAttachments = []; @@ -849,9 +849,9 @@ describe('Create case', () => { }); it(`should call callbacks in correct order`, async () => { - useConnectorsMock.mockReturnValue({ + useGetConnectorsMock.mockReturnValue({ ...sampleConnectorData, - connectors: connectorsMock, + data: connectorsMock, }); const attachments = [ { diff --git a/x-pack/plugins/cases/public/components/create/form_context.tsx b/x-pack/plugins/cases/public/components/create/form_context.tsx index a65e9f5960e9d..70b4fb4ec9ab0 100644 --- a/x-pack/plugins/cases/public/components/create/form_context.tsx +++ b/x-pack/plugins/cases/public/components/create/form_context.tsx @@ -12,7 +12,6 @@ import { getNoneConnector, normalizeActionConnector } from '../configure_cases/u import { usePostCase } from '../../containers/use_post_case'; import { usePostPushToService } from '../../containers/use_post_push_to_service'; -import { useConnectors } from '../../containers/configure/use_connectors'; import { Case } from '../../containers/types'; import { CaseSeverity, NONE_CONNECTOR_ID } from '../../../common/api'; import { @@ -23,6 +22,7 @@ import { useCasesContext } from '../cases_context/use_cases_context'; import { useCasesFeatures } from '../cases_context/use_cases_features'; import { getConnectorById } from '../utils'; import { CaseAttachments } from '../../types'; +import { useGetConnectors } from '../../containers/configure/use_connectors'; const initialCaseValue: FormProps = { description: '', @@ -51,7 +51,7 @@ export const FormContext: React.FC = ({ onSuccess, attachments, }) => { - const { connectors, loading: isLoadingConnectors } = useConnectors(); + const { data: connectors = [], isLoading: isLoadingConnectors } = useGetConnectors(); const { owner } = useCasesContext(); const { isSyncAlertsEnabled } = useCasesFeatures(); const { postCase } = usePostCase(); diff --git a/x-pack/plugins/cases/public/components/create/index.test.tsx b/x-pack/plugins/cases/public/components/create/index.test.tsx index 64935321eabac..3f87aa1b02986 100644 --- a/x-pack/plugins/cases/public/components/create/index.test.tsx +++ b/x-pack/plugins/cases/public/components/create/index.test.tsx @@ -12,7 +12,6 @@ import { EuiComboBox, EuiComboBoxOptionOption } from '@elastic/eui'; import { TestProviders } from '../../common/mock'; import { useGetTags } from '../../containers/use_get_tags'; -import { useConnectors } from '../../containers/configure/use_connectors'; import { useCaseConfigure } from '../../containers/configure/use_configure'; import { useGetIncidentTypes } from '../connectors/resilient/use_get_incident_types'; import { useGetSeverity } from '../connectors/resilient/use_get_severity'; @@ -29,6 +28,7 @@ import { useGetFieldsByIssueTypeResponse, } from './mock'; import { CreateCase } from '.'; +import { useGetConnectors } from '../../containers/configure/use_connectors'; jest.mock('../../containers/api'); jest.mock('../../containers/use_get_tags'); @@ -41,7 +41,7 @@ jest.mock('../connectors/jira/use_get_fields_by_issue_type'); jest.mock('../connectors/jira/use_get_single_issue'); jest.mock('../connectors/jira/use_get_issues'); -const useConnectorsMock = useConnectors as jest.Mock; +const useGetConnectorsMock = useGetConnectors as jest.Mock; const useCaseConfigureMock = useCaseConfigure as jest.Mock; const useGetTagsMock = useGetTags as jest.Mock; const useGetIncidentTypesMock = useGetIncidentTypes as jest.Mock; @@ -78,7 +78,7 @@ const defaultProps = { describe('CreateCase case', () => { beforeEach(() => { jest.clearAllMocks(); - useConnectorsMock.mockReturnValue(sampleConnectorData); + useGetConnectorsMock.mockReturnValue(sampleConnectorData); useCaseConfigureMock.mockImplementation(() => useCaseConfigureResponse); useGetIncidentTypesMock.mockReturnValue(useGetIncidentTypesResponse); useGetSeverityMock.mockReturnValue(useGetSeverityResponse); diff --git a/x-pack/plugins/cases/public/components/create/mock.ts b/x-pack/plugins/cases/public/components/create/mock.ts index 38d57bf24781e..8f67b3c05d3e4 100644 --- a/x-pack/plugins/cases/public/components/create/mock.ts +++ b/x-pack/plugins/cases/public/components/create/mock.ts @@ -27,7 +27,7 @@ export const sampleData: CasePostRequest = { owner: SECURITY_SOLUTION_OWNER, }; -export const sampleConnectorData = { loading: false, connectors: [] }; +export const sampleConnectorData = { isLoading: false, data: [] }; export const useGetIncidentTypesResponse = { isLoading: false, diff --git a/x-pack/plugins/cases/public/components/edit_connector/index.test.tsx b/x-pack/plugins/cases/public/components/edit_connector/index.test.tsx index 3f8f47f2b96ae..6309ce0ebd832 100644 --- a/x-pack/plugins/cases/public/components/edit_connector/index.test.tsx +++ b/x-pack/plugins/cases/public/components/edit_connector/index.test.tsx @@ -16,7 +16,6 @@ import { basicCase, basicPush, caseUserActions, connectorsMock } from '../../con import { CaseConnector } from '../../containers/configure/types'; const onSubmit = jest.fn(); -const updateCase = jest.fn(); const caseServices = { '123': { ...basicPush, @@ -36,7 +35,6 @@ const getDefaultProps = (): EditConnectorProps => { isLoading: false, isValidConnector: true, onSubmit, - updateCase, userActions: caseUserActions, userCanCrud: true, }; diff --git a/x-pack/plugins/cases/public/components/edit_connector/index.tsx b/x-pack/plugins/cases/public/components/edit_connector/index.tsx index 3d87578e90d8f..29ab523764b47 100644 --- a/x-pack/plugins/cases/public/components/edit_connector/index.tsx +++ b/x-pack/plugins/cases/public/components/edit_connector/index.tsx @@ -47,7 +47,6 @@ export interface EditConnectorProps { onError: () => void, onSuccess: () => void ) => void; - updateCase: (newCase: Case) => void; userActions: CaseUserActions[]; userCanCrud?: boolean; } @@ -119,7 +118,6 @@ export const EditConnector = React.memo( isLoading, isValidConnector, onSubmit, - updateCase, userActions, userCanCrud = true, }: EditConnectorProps) => { @@ -275,7 +273,6 @@ export const EditConnector = React.memo( connectors, hasDataToPush, onEditClick, - updateCase, userCanCrud, isValidConnector, }); diff --git a/x-pack/plugins/cases/public/components/recent_cases/index.tsx b/x-pack/plugins/cases/public/components/recent_cases/index.tsx index 0b4e65cf68709..4cc070e77b76a 100644 --- a/x-pack/plugins/cases/public/components/recent_cases/index.tsx +++ b/x-pack/plugins/cases/public/components/recent_cases/index.tsx @@ -8,6 +8,7 @@ import { EuiFlexGroup, EuiFlexItem, EuiHorizontalRule, EuiText, EuiTitle } from '@elastic/eui'; import React, { useCallback, useMemo, useState } from 'react'; +import { QueryClientProvider } from 'react-query'; import * as i18n from './translations'; import { LinkAnchor } from '../links'; import { RecentCasesFilters } from './filters'; @@ -15,6 +16,7 @@ import { RecentCasesComp } from './recent_cases'; import { FilterMode as RecentCasesFilterMode } from './types'; import { useCurrentUser } from '../../common/lib/kibana'; import { useAllCasesNavigation } from '../../common/navigation'; +import { casesQueryClient } from '../cases_context/query_client'; export interface RecentCasesProps { maxCasesToShow: number; @@ -52,7 +54,7 @@ const RecentCases = React.memo(({ maxCasesToShow }: RecentCasesProps) => { ); return ( - <> + <> @@ -81,7 +83,7 @@ const RecentCases = React.memo(({ maxCasesToShow }: RecentCasesProps) => { - + ); }); diff --git a/x-pack/plugins/cases/public/components/tag_list/index.tsx b/x-pack/plugins/cases/public/components/tag_list/index.tsx index 44643412faa5f..5b1463d23862a 100644 --- a/x-pack/plugins/cases/public/components/tag_list/index.tsx +++ b/x-pack/plugins/cases/public/components/tag_list/index.tsx @@ -70,8 +70,10 @@ export const TagList = React.memo( const { isValid, data: newData } = await submit(); if (isValid && newData.tags) { onSubmit(newData.tags); + form.reset({ defaultValue: newData }); setIsEditTags(false); } + // eslint-disable-next-line react-hooks/exhaustive-deps }, [onSubmit, submit]); const { tags: tagOptions } = useGetTags(); diff --git a/x-pack/plugins/cases/public/components/use_push_to_service/index.test.tsx b/x-pack/plugins/cases/public/components/use_push_to_service/index.test.tsx index 1c97c6ff30506..615c2780599de 100644 --- a/x-pack/plugins/cases/public/components/use_push_to_service/index.test.tsx +++ b/x-pack/plugins/cases/public/components/use_push_to_service/index.test.tsx @@ -15,18 +15,19 @@ import { TestProviders } from '../../common/mock'; import { CaseStatuses, ConnectorTypes } from '../../../common/api'; import { usePostPushToService } from '../../containers/use_post_push_to_service'; import { basicPush, actionLicenses, connectorsMock } from '../../containers/mock'; -import { useGetActionLicense } from '../../containers/use_get_action_license'; import { CLOSED_CASE_PUSH_ERROR_ID } from './callout/types'; import * as i18n from './translations'; +import { useGetActionLicense } from '../../containers/use_get_action_license'; jest.mock('../../containers/use_get_action_license'); jest.mock('../../containers/use_post_push_to_service'); jest.mock('../../containers/configure/api'); jest.mock('../../common/navigation/hooks'); +const useFetchActionLicenseMock = useGetActionLicense as jest.Mock; + describe('usePushToService', () => { const caseId = '12345'; - const updateCase = jest.fn(); const onEditClick = jest.fn(); const pushCaseToExternalService = jest.fn(); const mockPostPush = { @@ -65,16 +66,15 @@ describe('usePushToService', () => { hasDataToPush: true, onEditClick, isValidConnector: true, - updateCase, userCanCrud: true, }; beforeEach(() => { jest.clearAllMocks(); (usePostPushToService as jest.Mock).mockImplementation(() => mockPostPush); - (useGetActionLicense as jest.Mock).mockImplementation(() => ({ + useFetchActionLicenseMock.mockImplementation(() => ({ isLoading: false, - actionLicense, + data: actionLicense, })); }); @@ -102,9 +102,9 @@ describe('usePushToService', () => { }); it('Displays message when user does not have premium license', async () => { - (useGetActionLicense as jest.Mock).mockImplementation(() => ({ + useFetchActionLicenseMock.mockImplementation(() => ({ isLoading: false, - actionLicense: { + data: { ...actionLicense, enabledInLicense: false, }, @@ -124,9 +124,9 @@ describe('usePushToService', () => { }); it('Displays message when user does not have case enabled in config', async () => { - (useGetActionLicense as jest.Mock).mockImplementation(() => ({ + useFetchActionLicenseMock.mockImplementation(() => ({ isLoading: false, - actionLicense: { + data: { ...actionLicense, enabledInConfig: false, }, @@ -280,9 +280,9 @@ describe('usePushToService', () => { const noWriteProps = { ...defaultArgs, userCanCrud: false }; it('does not display a message when user does not have a premium license', async () => { - (useGetActionLicense as jest.Mock).mockImplementation(() => ({ + useFetchActionLicenseMock.mockImplementation(() => ({ isLoading: false, - actionLicense: { + data: { ...actionLicense, enabledInLicense: false, }, @@ -300,9 +300,9 @@ describe('usePushToService', () => { }); it('does not display a message when user does not have case enabled in config', async () => { - (useGetActionLicense as jest.Mock).mockImplementation(() => ({ + useFetchActionLicenseMock.mockImplementation(() => ({ isLoading: false, - actionLicense: { + data: { ...actionLicense, enabledInConfig: false, }, diff --git a/x-pack/plugins/cases/public/components/use_push_to_service/index.tsx b/x-pack/plugins/cases/public/components/use_push_to_service/index.tsx index b079a9d3d1b3d..b2c4e79a35596 100644 --- a/x-pack/plugins/cases/public/components/use_push_to_service/index.tsx +++ b/x-pack/plugins/cases/public/components/use_push_to_service/index.tsx @@ -8,7 +8,6 @@ import { EuiButtonEmpty, EuiToolTip } from '@elastic/eui'; import React, { useCallback, useMemo } from 'react'; -import { useGetActionLicense } from '../../containers/use_get_action_license'; import { usePostPushToService } from '../../containers/use_post_push_to_service'; import { CaseCallOut } from './callout'; import { @@ -19,10 +18,11 @@ import { getCaseClosedInfo, } from './helpers'; import * as i18n from './translations'; -import { Case } from '../../../common/ui/types'; import { CaseConnector, ActionConnector, CaseStatuses } from '../../../common/api'; import { CaseServices } from '../../containers/use_get_case_user_actions'; import { ErrorMessage } from './callout/types'; +import { useRefreshCaseViewPage } from '../case_view/use_on_refresh_case_view_page'; +import { useGetActionLicense } from '../../containers/use_get_action_license'; export interface UsePushToService { caseId: string; @@ -33,7 +33,6 @@ export interface UsePushToService { hasDataToPush: boolean; isValidConnector: boolean; onEditClick: () => void; - updateCase: (newCase: Case) => void; userCanCrud: boolean; } @@ -51,13 +50,13 @@ export const usePushToService = ({ hasDataToPush, isValidConnector, onEditClick, - updateCase, userCanCrud, }: UsePushToService): ReturnUsePushToService => { const { isLoading, pushCaseToExternalService } = usePostPushToService(); - const { isLoading: loadingLicense, actionLicense } = useGetActionLicense(); + const { isLoading: loadingLicense, data: actionLicense = null } = useGetActionLicense(); const hasLicenseError = actionLicense != null && !actionLicense.enabledInLicense; + const refreshCaseViewPage = useRefreshCaseViewPage(); const handlePushToService = useCallback(async () => { if (connector.id != null && connector.id !== 'none') { @@ -67,10 +66,10 @@ export const usePushToService = ({ }); if (theCase != null) { - updateCase(theCase); + refreshCaseViewPage(); } } - }, [caseId, connector, pushCaseToExternalService, updateCase]); + }, [caseId, connector, pushCaseToExternalService, refreshCaseViewPage]); const errorsMsg = useMemo(() => { const errors: ErrorMessage[] = []; diff --git a/x-pack/plugins/cases/public/components/user_actions/index.test.tsx b/x-pack/plugins/cases/public/components/user_actions/index.test.tsx index d05f378cd205a..b6122ebec4016 100644 --- a/x-pack/plugins/cases/public/components/user_actions/index.test.tsx +++ b/x-pack/plugins/cases/public/components/user_actions/index.test.tsx @@ -283,8 +283,6 @@ describe(`UserActions`, () => { commentUpdate: sampleData.content, caseId: 'case-id', commentId: props.data.comments[0].id, - fetchUserActions, - updateCase, version: props.data.comments[0].version, }); }); diff --git a/x-pack/plugins/cases/public/components/user_actions/index.tsx b/x-pack/plugins/cases/public/components/user_actions/index.tsx index 9cdfb37902c55..8dfa0a5ca84c4 100644 --- a/x-pack/plugins/cases/public/components/user_actions/index.tsx +++ b/x-pack/plugins/cases/public/components/user_actions/index.tsx @@ -81,7 +81,6 @@ export const UserActions = React.memo( caseServices, caseUserActions, data: caseData, - fetchUserActions, getRuleDetailsHref, actionsNavigation, isLoadingDescription, @@ -90,7 +89,6 @@ export const UserActions = React.memo( onShowAlertDetails, onUpdateField, statusActionButton, - updateCase, useFetchAlertData, userCanCrud, }: UserActionTreeProps) => { @@ -116,7 +114,7 @@ export const UserActions = React.memo( handleManageQuote, handleDeleteComment, handleUpdate, - } = useUserActionsHandler({ fetchUserActions, updateCase }); + } = useUserActionsHandler(); const MarkdownNewComment = useMemo( () => ( diff --git a/x-pack/plugins/cases/public/components/user_actions/types.ts b/x-pack/plugins/cases/public/components/user_actions/types.ts index 080ccf095c4f6..36a3053170d66 100644 --- a/x-pack/plugins/cases/public/components/user_actions/types.ts +++ b/x-pack/plugins/cases/public/components/user_actions/types.ts @@ -20,7 +20,6 @@ export interface UserActionTreeProps { caseServices: CaseServices; caseUserActions: CaseUserActions[]; data: Case; - fetchUserActions: () => void; getRuleDetailsHref?: RuleDetailsNavigation['href']; actionsNavigation?: ActionsNavigation; isLoadingDescription: boolean; @@ -29,7 +28,6 @@ export interface UserActionTreeProps { onShowAlertDetails: (alertId: string, index: string) => void; onUpdateField: ({ key, value, onSuccess, onError }: OnUpdateFields) => void; statusActionButton: JSX.Element | null; - updateCase: (newCase: Case) => void; useFetchAlertData: UseFetchAlertData; userCanCrud: boolean; } diff --git a/x-pack/plugins/cases/public/components/user_actions/use_user_actions_handler.test.tsx b/x-pack/plugins/cases/public/components/user_actions/use_user_actions_handler.test.tsx index 56b70391d4155..510be840d5436 100644 --- a/x-pack/plugins/cases/public/components/user_actions/use_user_actions_handler.test.tsx +++ b/x-pack/plugins/cases/public/components/user_actions/use_user_actions_handler.test.tsx @@ -9,16 +9,14 @@ import { renderHook, act } from '@testing-library/react-hooks'; import { basicCase } from '../../containers/mock'; import { useUpdateComment } from '../../containers/use_update_comment'; +import { useRefreshCaseViewPage } from '../case_view/use_on_refresh_case_view_page'; import { useLensDraftComment } from '../markdown_editor/plugins/lens/use_lens_draft_comment'; import { NEW_COMMENT_ID } from './constants'; -import { - useUserActionsHandler, - UseUserActionsHandlerArgs, - UseUserActionsHandler, -} from './use_user_actions_handler'; +import { useUserActionsHandler } from './use_user_actions_handler'; jest.mock('../../common/lib/kibana'); jest.mock('../../common/navigation/hooks'); +jest.mock('../case_view/use_on_refresh_case_view_page'); jest.mock('../markdown_editor/plugins/lens/use_lens_draft_comment'); jest.mock('../../containers/use_update_comment'); @@ -29,9 +27,6 @@ const clearDraftComment = jest.fn(); const openLensModal = jest.fn(); describe('useUserActionsHandler', () => { - const fetchUserActions = jest.fn(); - const updateCase = jest.fn(); - beforeAll(() => { jest.useFakeTimers(); jest.spyOn(global, 'setTimeout'); @@ -56,36 +51,27 @@ describe('useUserActionsHandler', () => { }); }); - it('should saves a comment', async () => { - const { result } = renderHook(() => - useUserActionsHandler({ fetchUserActions, updateCase }) - ); + it('should save a comment', async () => { + const { result } = renderHook(() => useUserActionsHandler()); result.current.handleSaveComment({ id: 'test-id', version: 'test-version' }, 'a comment'); expect(patchComment).toHaveBeenCalledWith({ caseId: 'basic-case-id', commentId: 'test-id', commentUpdate: 'a comment', - fetchUserActions, - updateCase, version: 'test-version', }); }); - it('should update a case', async () => { - const { result } = renderHook(() => - useUserActionsHandler({ fetchUserActions, updateCase }) - ); + it('should refresh the case case after updating', async () => { + const { result } = renderHook(() => useUserActionsHandler()); result.current.handleUpdate(basicCase); - expect(fetchUserActions).toHaveBeenCalled(); - expect(updateCase).toHaveBeenCalledWith(basicCase); + expect(useRefreshCaseViewPage()).toHaveBeenCalled(); }); it('should handle markdown edit', async () => { - const { result } = renderHook(() => - useUserActionsHandler({ fetchUserActions, updateCase }) - ); + const { result } = renderHook(() => useUserActionsHandler()); act(() => { result.current.handleManageMarkdownEditId('test-id'); @@ -96,9 +82,7 @@ describe('useUserActionsHandler', () => { }); it('should remove id from the markdown edit ids', async () => { - const { result } = renderHook(() => - useUserActionsHandler({ fetchUserActions, updateCase }) - ); + const { result } = renderHook(() => useUserActionsHandler()); act(() => { result.current.handleManageMarkdownEditId('test-id'); @@ -114,9 +98,7 @@ describe('useUserActionsHandler', () => { }); it('should outline a comment', async () => { - const { result } = renderHook(() => - useUserActionsHandler({ fetchUserActions, updateCase }) - ); + const { result } = renderHook(() => useUserActionsHandler()); act(() => { result.current.handleOutlineComment('test-id'); @@ -133,9 +115,7 @@ describe('useUserActionsHandler', () => { it('should quote', async () => { const addQuote = jest.fn(); - const { result } = renderHook(() => - useUserActionsHandler({ fetchUserActions, updateCase }) - ); + const { result } = renderHook(() => useUserActionsHandler()); result.current.commentRefs.current[NEW_COMMENT_ID] = { addQuote, diff --git a/x-pack/plugins/cases/public/components/user_actions/use_user_actions_handler.tsx b/x-pack/plugins/cases/public/components/user_actions/use_user_actions_handler.tsx index 4981e86251c18..5dfc84008e045 100644 --- a/x-pack/plugins/cases/public/components/user_actions/use_user_actions_handler.tsx +++ b/x-pack/plugins/cases/public/components/user_actions/use_user_actions_handler.tsx @@ -12,14 +12,10 @@ import { useLensDraftComment } from '../markdown_editor/plugins/lens/use_lens_dr import { useUpdateComment } from '../../containers/use_update_comment'; import { AddCommentRefObject } from '../add_comment'; import { UserActionMarkdownRefObject } from './markdown_form'; -import { UserActionBuilderArgs, UserActionTreeProps } from './types'; +import { UserActionBuilderArgs } from './types'; import { NEW_COMMENT_ID } from './constants'; import { useDeleteComment } from '../../containers/use_delete_comment'; - -export type UseUserActionsHandlerArgs = Pick< - UserActionTreeProps, - 'fetchUserActions' | 'updateCase' ->; +import { useRefreshCaseViewPage } from '../case_view/use_on_refresh_case_view_page'; export type UseUserActionsHandler = Pick< UserActionBuilderArgs, @@ -41,10 +37,7 @@ const isAddCommentRef = ( return commentRef?.addQuote != null; }; -export const useUserActionsHandler = ({ - fetchUserActions, - updateCase, -}: UseUserActionsHandlerArgs): UseUserActionsHandler => { +export const useUserActionsHandler = (): UseUserActionsHandler => { const { detailName: caseId } = useCaseViewParams(); const { clearDraftComment, draftComment, hasIncomingLensState, openLensModal } = useLensDraftComment(); @@ -53,6 +46,7 @@ export const useUserActionsHandler = ({ const { deleteComment } = useDeleteComment(); const [selectedOutlineCommentId, setSelectedOutlineCommentId] = useState(''); const [manageMarkdownEditIds, setManageMarkdownEditIds] = useState([]); + const refreshCaseViewPage = useRefreshCaseViewPage(); const commentRefs = useRef< Record >({}); @@ -75,19 +69,17 @@ export const useUserActionsHandler = ({ caseId, commentId: id, commentUpdate: content, - fetchUserActions, version, - updateCase, }); }, - [caseId, fetchUserActions, patchComment, updateCase] + [caseId, patchComment] ); const handleDeleteComment = useCallback( (id: string) => { - deleteComment({ caseId, commentId: id, fetchUserActions, updateCase }); + deleteComment({ caseId, commentId: id }); }, - [caseId, deleteComment, fetchUserActions, updateCase] + [caseId, deleteComment] ); const handleOutlineComment = useCallback( @@ -129,14 +121,6 @@ export const useUserActionsHandler = ({ [handleOutlineComment] ); - const handleUpdate = useCallback( - (newCase: Case) => { - updateCase(newCase); - fetchUserActions(); - }, - [fetchUserActions, updateCase] - ); - useEffect(() => { if (draftComment?.commentId) { setManageMarkdownEditIds((prevManageMarkdownEditIds) => { @@ -172,6 +156,6 @@ export const useUserActionsHandler = ({ handleSaveComment, handleDeleteComment, handleManageQuote, - handleUpdate, + handleUpdate: refreshCaseViewPage, }; }; diff --git a/x-pack/plugins/cases/public/containers/configure/use_action_types.test.tsx b/x-pack/plugins/cases/public/containers/configure/use_action_types.test.tsx index 3b19e74d09208..df0804690b1b9 100644 --- a/x-pack/plugins/cases/public/containers/configure/use_action_types.test.tsx +++ b/x-pack/plugins/cases/public/containers/configure/use_action_types.test.tsx @@ -5,99 +5,44 @@ * 2.0. */ -import { renderHook, act } from '@testing-library/react-hooks'; -import { useActionTypes, UseActionTypesResponse } from './use_action_types'; +import { renderHook } from '@testing-library/react-hooks'; import * as api from './api'; -import { actionTypesMock } from '../../common/mock/connectors'; +import { AppMockRenderer, createAppMockRenderer } from '../../common/mock'; +import { useGetActionTypes } from './use_action_types'; +import { useToasts } from '../../common/lib/kibana'; jest.mock('./api'); jest.mock('../../common/lib/kibana'); describe('useActionTypes', () => { + let appMockRenderer: AppMockRenderer; beforeEach(() => { jest.clearAllMocks(); jest.restoreAllMocks(); + appMockRenderer = createAppMockRenderer(); }); - test('init', async () => { - await act(async () => { - const { result, waitForNextUpdate } = renderHook(() => - useActionTypes() - ); - await waitForNextUpdate(); - expect(result.current).toEqual({ - loading: true, - actionTypes: [], - refetchActionTypes: result.current.refetchActionTypes, - }); + it('should fetch action types', async () => { + const spy = jest.spyOn(api, 'fetchActionTypes'); + const { waitForNextUpdate } = renderHook(() => useGetActionTypes(), { + wrapper: appMockRenderer.AppWrapper, }); - }); - - test('fetch action types', async () => { - await act(async () => { - const { result, waitForNextUpdate } = renderHook(() => - useActionTypes() - ); - - await waitForNextUpdate(); - await waitForNextUpdate(); - expect(result.current).toEqual({ - loading: false, - actionTypes: actionTypesMock, - refetchActionTypes: result.current.refetchActionTypes, - }); - }); - }); - - test('refetch actionTypes', async () => { - const spyOnfetchActionTypes = jest.spyOn(api, 'fetchActionTypes'); - await act(async () => { - const { result, waitForNextUpdate } = renderHook(() => - useActionTypes() - ); - - await waitForNextUpdate(); - await waitForNextUpdate(); - - result.current.refetchActionTypes(); - expect(spyOnfetchActionTypes).toHaveBeenCalledTimes(2); - }); + await waitForNextUpdate(); + expect(spy).toHaveBeenCalledWith({ signal: expect.any(AbortSignal) }); }); - test('set isLoading to true when refetching actionTypes', async () => { - await act(async () => { - const { result, waitForNextUpdate } = renderHook(() => - useActionTypes() - ); - - await waitForNextUpdate(); - await waitForNextUpdate(); - - result.current.refetchActionTypes(); - - expect(result.current.loading).toBe(true); - }); - }); - - test('unhappy path', async () => { - const spyOnfetchActionTypes = jest.spyOn(api, 'fetchActionTypes'); - spyOnfetchActionTypes.mockImplementation(() => { + it('should show a toast eror message if failed to fetch', async () => { + const spy = jest.spyOn(api, 'fetchActionTypes'); + spy.mockImplementation(() => { throw new Error('Something went wrong'); }); - - await act(async () => { - const { result, waitForNextUpdate } = renderHook(() => - useActionTypes() - ); - await waitForNextUpdate(); - await waitForNextUpdate(); - - expect(result.current).toEqual({ - loading: false, - actionTypes: [], - refetchActionTypes: result.current.refetchActionTypes, - }); + const addErrorMock = jest.fn(); + (useToasts as jest.Mock).mockReturnValue({ addError: addErrorMock }); + const { waitForNextUpdate } = renderHook(() => useGetActionTypes(), { + wrapper: appMockRenderer.AppWrapper, }); + await waitForNextUpdate(); + expect(addErrorMock).toHaveBeenCalled(); }); }); diff --git a/x-pack/plugins/cases/public/containers/configure/use_action_types.tsx b/x-pack/plugins/cases/public/containers/configure/use_action_types.tsx index eaaadd65d29d1..caca1de7afcec 100644 --- a/x-pack/plugins/cases/public/containers/configure/use_action_types.tsx +++ b/x-pack/plugins/cases/public/containers/configure/use_action_types.tsx @@ -5,67 +5,28 @@ * 2.0. */ -import { useState, useEffect, useCallback, useRef } from 'react'; - +import { useQuery } from 'react-query'; import * as i18n from '../translations'; import { fetchActionTypes } from './api'; -import { ActionTypeConnector } from './types'; import { useToasts } from '../../common/lib/kibana'; +import { CASE_CONFIGURATION_CACHE_KEY } from '../constants'; +import { ServerError } from '../../types'; -export interface UseActionTypesResponse { - loading: boolean; - actionTypes: ActionTypeConnector[]; - refetchActionTypes: () => void; -} - -export const useActionTypes = (): UseActionTypesResponse => { +export const useGetActionTypes = () => { const toasts = useToasts(); - const [loading, setLoading] = useState(true); - const [actionTypes, setActionTypes] = useState([]); - const isCancelledRef = useRef(false); - const abortCtrlRef = useRef(new AbortController()); - const queryFirstTime = useRef(true); - - const refetchActionTypes = useCallback(async () => { - try { - setLoading(true); - isCancelledRef.current = false; - abortCtrlRef.current.abort(); - abortCtrlRef.current = new AbortController(); - - const res = await fetchActionTypes({ signal: abortCtrlRef.current.signal }); - - if (!isCancelledRef.current) { - setLoading(false); - setActionTypes(res); - } - } catch (error) { - if (!isCancelledRef.current) { - setLoading(false); - setActionTypes([]); + return useQuery( + [CASE_CONFIGURATION_CACHE_KEY, 'actionTypes'], + () => { + const abortController = new AbortController(); + return fetchActionTypes({ signal: abortController.signal }); + }, + { + initialData: [], + onError: (error: ServerError) => { toasts.addError(error.body && error.body.message ? new Error(error.body.message) : error, { title: i18n.ERROR_TITLE, }); - } + }, } - }, [toasts]); - - useEffect(() => { - if (queryFirstTime.current) { - refetchActionTypes(); - queryFirstTime.current = false; - } - - return () => { - isCancelledRef.current = true; - abortCtrlRef.current.abort(); - queryFirstTime.current = true; - }; - }, [refetchActionTypes]); - - return { - loading, - actionTypes, - refetchActionTypes, - }; + ); }; diff --git a/x-pack/plugins/cases/public/containers/configure/use_connectors.test.tsx b/x-pack/plugins/cases/public/containers/configure/use_connectors.test.tsx index b1a3bac22d56f..076e1a8408482 100644 --- a/x-pack/plugins/cases/public/containers/configure/use_connectors.test.tsx +++ b/x-pack/plugins/cases/public/containers/configure/use_connectors.test.tsx @@ -6,12 +6,11 @@ */ import React from 'react'; -import { renderHook, act } from '@testing-library/react-hooks'; -import { useConnectors, UseConnectorsResponse } from './use_connectors'; +import { renderHook } from '@testing-library/react-hooks'; import * as api from './api'; -import { connectorsMock } from '../mock'; import { TestProviders } from '../../common/mock'; -import { useApplicationCapabilities } from '../../common/lib/kibana'; +import { useApplicationCapabilities, useToasts } from '../../common/lib/kibana'; +import { useGetConnectors } from './use_connectors'; const useApplicationCapabilitiesMock = useApplicationCapabilities as jest.Mocked< typeof useApplicationCapabilities @@ -25,140 +24,45 @@ describe('useConnectors', () => { jest.clearAllMocks(); }); - it('init', async () => { - await act(async () => { - const { result, waitFor } = renderHook(() => useConnectors(), { - wrapper: ({ children }) => {children}, - }); - - await waitFor(() => { - expect(result.current).toEqual({ - loading: true, - connectors: [], - refetchConnectors: result.current.refetchConnectors, - }); - }); + it('fetches connectors', async () => { + const spy = jest.spyOn(api, 'fetchConnectors'); + const { waitForNextUpdate } = renderHook(() => useGetConnectors(), { + wrapper: ({ children }) => {children}, }); - }); - - it('fetch connectors', async () => { - await act(async () => { - const { result, waitForNextUpdate } = renderHook( - () => useConnectors(), - { - wrapper: ({ children }) => {children}, - } - ); - await waitForNextUpdate(); - - expect(result.current).toEqual({ - loading: false, - connectors: connectorsMock, - refetchConnectors: result.current.refetchConnectors, - }); - }); - }); + await waitForNextUpdate(); - it('refetch connectors', async () => { - const spyOnfetchConnectors = jest.spyOn(api, 'fetchConnectors'); - await act(async () => { - const { result, waitForNextUpdate } = renderHook( - () => useConnectors(), - { - wrapper: ({ children }) => {children}, - } - ); - await waitForNextUpdate(); - result.current.refetchConnectors(); - expect(spyOnfetchConnectors).toHaveBeenCalledTimes(2); - }); + expect(spy).toHaveBeenCalledWith({ signal: expect.any(AbortSignal) }); }); - it('set isLoading to true when refetching connectors', async () => { - await act(async () => { - const { result, waitForNextUpdate } = renderHook( - () => useConnectors(), - { - wrapper: ({ children }) => {children}, - } - ); - await waitForNextUpdate(); - result.current.refetchConnectors(); - - expect(result.current.loading).toBe(true); - }); - }); + it('shows a toast error when the API returns error', async () => { + const addError = jest.fn(); + (useToasts as jest.Mock).mockReturnValue({ addError }); - it('unhappy path', async () => { const spyOnfetchConnectors = jest.spyOn(api, 'fetchConnectors'); spyOnfetchConnectors.mockImplementation(() => { throw new Error('Something went wrong'); }); - await act(async () => { - const { result, waitForNextUpdate } = renderHook( - () => useConnectors(), - { - wrapper: ({ children }) => {children}, - } - ); - await waitForNextUpdate(); - - expect(result.current).toEqual({ - loading: false, - connectors: [], - refetchConnectors: result.current.refetchConnectors, - }); + const { waitForNextUpdate } = renderHook(() => useGetConnectors(), { + wrapper: ({ children }) => {children}, }); + await waitForNextUpdate(); + + expect(addError).toHaveBeenCalled(); }); it('does not fetch connectors when the user does not has access to actions', async () => { const spyOnFetchConnectors = jest.spyOn(api, 'fetchConnectors'); useApplicationCapabilitiesMock().actions = { crud: false, read: false }; - await act(async () => { - const { result, waitForNextUpdate } = renderHook( - () => useConnectors(), - { - wrapper: ({ children }) => {children}, - } - ); - - await waitForNextUpdate(); - - expect(result.current).toEqual({ - loading: false, - connectors: [], - refetchConnectors: result.current.refetchConnectors, - }); + const { result, waitForNextUpdate } = renderHook(() => useGetConnectors(), { + wrapper: ({ children }) => {children}, }); - expect(spyOnFetchConnectors).not.toHaveBeenCalled(); - }); - - it('does not refetch connectors when the user does not has access to actions', async () => { - const spyOnFetchConnectors = jest.spyOn(api, 'fetchConnectors'); - useApplicationCapabilitiesMock().actions = { crud: false, read: false }; - - await act(async () => { - const { result, waitForNextUpdate } = renderHook( - () => useConnectors(), - { - wrapper: ({ children }) => {children}, - } - ); - - await waitForNextUpdate(); - result.current.refetchConnectors(); - - expect(result.current).toEqual({ - loading: false, - connectors: [], - refetchConnectors: result.current.refetchConnectors, - }); - }); + await waitForNextUpdate(); expect(spyOnFetchConnectors).not.toHaveBeenCalled(); + expect(result.current.data).toEqual([]); }); }); diff --git a/x-pack/plugins/cases/public/containers/configure/use_connectors.tsx b/x-pack/plugins/cases/public/containers/configure/use_connectors.tsx index e8176f5f397e8..9f1d3f38655ae 100644 --- a/x-pack/plugins/cases/public/containers/configure/use_connectors.tsx +++ b/x-pack/plugins/cases/public/containers/configure/use_connectors.tsx @@ -5,95 +5,34 @@ * 2.0. */ -import { useState, useEffect, useCallback, useRef } from 'react'; - +import { useQuery } from 'react-query'; import { fetchConnectors } from './api'; -import { ActionConnector } from './types'; import { useApplicationCapabilities, useToasts } from '../../common/lib/kibana'; import * as i18n from './translations'; +import { CASE_CONNECTORS_CACHE_KEY } from '../constants'; +import { ServerError } from '../../types'; -interface ConnectorsState { - loading: boolean; - connectors: ActionConnector[]; -} - -export interface UseConnectorsResponse { - loading: boolean; - connectors: ActionConnector[]; - refetchConnectors: () => void; - permissionsError?: string; -} - -/** - * Retrieves the configured case connectors - * - * @param toastPermissionsErrors boolean controlling whether 403 and 401 errors should be displayed in a toast error - */ -export const useConnectors = (): UseConnectorsResponse => { +export function useGetConnectors() { const toasts = useToasts(); const { actions } = useApplicationCapabilities(); - const [state, setState] = useState({ - loading: true, - connectors: [], - }); - - const isCancelledRef = useRef(false); - const abortCtrlRef = useRef(new AbortController()); - const refetchConnectors = useCallback(async () => { - if (!actions.read) { - setState({ - loading: false, - connectors: [], - }); - - return; - } - - try { - isCancelledRef.current = false; - abortCtrlRef.current.abort(); - abortCtrlRef.current = new AbortController(); - setState({ - ...state, - loading: true, - }); - const res = await fetchConnectors({ signal: abortCtrlRef.current.signal }); - - if (!isCancelledRef.current) { - setState({ - loading: false, - connectors: res, - }); + return useQuery( + [CASE_CONNECTORS_CACHE_KEY], + async () => { + if (!actions.read) { + return []; } - } catch (error) { - if (!isCancelledRef.current) { + const abortCtrl = new AbortController(); + return fetchConnectors({ signal: abortCtrl.signal }); + }, + { + onError: (error: ServerError) => { if (error.name !== 'AbortError') { toasts.addError( error.body && error.body.message ? new Error(error.body.message) : error, { title: i18n.ERROR_TITLE } ); } - setState({ - loading: false, - connectors: [], - }); - } + }, } - // eslint-disable-next-line react-hooks/exhaustive-deps - }, []); - - useEffect(() => { - refetchConnectors(); - return () => { - isCancelledRef.current = true; - abortCtrlRef.current.abort(); - }; - // eslint-disable-next-line react-hooks/exhaustive-deps - }, []); - - return { - loading: state.loading, - connectors: state.connectors, - refetchConnectors, - }; -}; + ); +} diff --git a/x-pack/plugins/cases/public/containers/constants.ts b/x-pack/plugins/cases/public/containers/constants.ts index 8b45ca1e9f607..6d1b9d18c423c 100644 --- a/x-pack/plugins/cases/public/containers/constants.ts +++ b/x-pack/plugins/cases/public/containers/constants.ts @@ -11,3 +11,7 @@ export const DEFAULT_TABLE_LIMIT = 5; export const CASE_VIEW_CACHE_KEY = 'case'; export const CASE_VIEW_ACTIONS_CACHE_KEY = 'user-actions'; export const CASE_VIEW_METRICS_CACHE_KEY = 'metrics'; +export const CASE_CONFIGURATION_CACHE_KEY = 'case-configuration'; +export const CASE_LIST_CACHE_KEY = 'case-list'; +export const CASE_CONNECTORS_CACHE_KEY = 'case-connectors'; +export const CASE_LICENSE_CACHE_KEY = 'case-license-action'; diff --git a/x-pack/plugins/cases/public/containers/use_delete_comment.test.tsx b/x-pack/plugins/cases/public/containers/use_delete_comment.test.tsx index 8cf0eb6c78faa..ed038e23f8d7d 100644 --- a/x-pack/plugins/cases/public/containers/use_delete_comment.test.tsx +++ b/x-pack/plugins/cases/public/containers/use_delete_comment.test.tsx @@ -9,13 +9,13 @@ import { act, renderHook } from '@testing-library/react-hooks'; import { useDeleteComment, UseDeleteComment } from './use_delete_comment'; import * as api from './api'; import { basicCaseId } from './mock'; +import { useRefreshCaseViewPage } from '../components/case_view/use_on_refresh_case_view_page'; jest.mock('../common/lib/kibana'); jest.mock('./api'); +jest.mock('../components/case_view/use_on_refresh_case_view_page'); const commentId = 'ab124'; -const fetchUserActions = jest.fn(); -const updateCase = jest.fn(); describe('useDeleteComment', () => { it('init', async () => { @@ -43,8 +43,6 @@ describe('useDeleteComment', () => { result.current.deleteComment({ caseId: basicCaseId, commentId, - fetchUserActions, - updateCase, }); await waitForNextUpdate(); expect(spyOnDeleteComment).toBeCalledWith({ @@ -56,9 +54,7 @@ describe('useDeleteComment', () => { }); }); - it('fetches the case information', async () => { - const spyOnGetCase = jest.spyOn(api, 'getCase'); - + it('refreshes the case page view after delete', async () => { await act(async () => { const { result, waitForNextUpdate } = renderHook(() => useDeleteComment() @@ -68,11 +64,9 @@ describe('useDeleteComment', () => { result.current.deleteComment({ caseId: basicCaseId, commentId, - fetchUserActions, - updateCase, }); await waitForNextUpdate(); - expect(spyOnGetCase).toBeCalledWith(basicCaseId, true, expect.any(AbortSignal)); + expect(useRefreshCaseViewPage()).toBeCalled(); }); }); @@ -89,8 +83,6 @@ describe('useDeleteComment', () => { result.current.deleteComment({ caseId: basicCaseId, commentId, - fetchUserActions, - updateCase, }); await waitForNextUpdate(); expect(spyOnDeleteComment).toBeCalledWith({ diff --git a/x-pack/plugins/cases/public/containers/use_delete_comment.tsx b/x-pack/plugins/cases/public/containers/use_delete_comment.tsx index 3568450659aac..8c0d9d204d6cc 100644 --- a/x-pack/plugins/cases/public/containers/use_delete_comment.tsx +++ b/x-pack/plugins/cases/public/containers/use_delete_comment.tsx @@ -7,9 +7,9 @@ import { useReducer, useCallback, useRef, useEffect } from 'react'; import { useToasts } from '../common/lib/kibana'; -import { deleteComment, getCase } from './api'; +import { useRefreshCaseViewPage } from '../components/case_view/use_on_refresh_case_view_page'; +import { deleteComment } from './api'; import * as i18n from './translations'; -import { Case } from './types'; interface CommentDeleteState { isError: boolean; @@ -49,12 +49,10 @@ const dataFetchReducer = (state: CommentDeleteState, action: Action): CommentDel interface DeleteComment { caseId: string; commentId: string; - fetchUserActions: () => void; - updateCase: (newCase: Case) => void; } export interface UseDeleteComment extends CommentDeleteState { - deleteComment: ({ caseId, commentId, fetchUserActions }: DeleteComment) => void; + deleteComment: ({ caseId, commentId }: DeleteComment) => void; } export const useDeleteComment = (): UseDeleteComment => { @@ -64,9 +62,10 @@ export const useDeleteComment = (): UseDeleteComment => { const toasts = useToasts(); const isCancelledRef = useRef(false); const abortCtrlRef = useRef(new AbortController()); + const refreshCaseViewPage = useRefreshCaseViewPage(); const dispatchDeleteComment = useCallback( - async ({ caseId, commentId, fetchUserActions, updateCase }: DeleteComment) => { + async ({ caseId, commentId }: DeleteComment) => { try { isCancelledRef.current = false; abortCtrlRef.current.abort(); @@ -80,9 +79,7 @@ export const useDeleteComment = (): UseDeleteComment => { }); if (!isCancelledRef.current) { - const theCase = await getCase(caseId, true, abortCtrlRef.current.signal); - updateCase(theCase); - fetchUserActions(); + refreshCaseViewPage(); dispatch({ type: 'FETCH_SUCCESS', payload: { commentId } }); } } catch (error) { diff --git a/x-pack/plugins/cases/public/containers/use_get_action_license.test.tsx b/x-pack/plugins/cases/public/containers/use_get_action_license.test.tsx index ae6a884514161..9ad55fe496a0e 100644 --- a/x-pack/plugins/cases/public/containers/use_get_action_license.test.tsx +++ b/x-pack/plugins/cases/public/containers/use_get_action_license.test.tsx @@ -5,87 +5,48 @@ * 2.0. */ -import { renderHook, act } from '@testing-library/react-hooks'; -import { initialData, useGetActionLicense, ActionLicenseState } from './use_get_action_license'; -import { actionLicenses } from './mock'; +import { renderHook } from '@testing-library/react-hooks'; import * as api from './api'; +import { useGetActionLicense } from './use_get_action_license'; +import { AppMockRenderer, createAppMockRenderer } from '../common/mock'; +import { useToasts } from '../common/lib/kibana'; jest.mock('./api'); jest.mock('../common/lib/kibana'); describe('useGetActionLicense', () => { const abortCtrl = new AbortController(); + let appMockRenderer: AppMockRenderer; beforeEach(() => { jest.clearAllMocks(); jest.restoreAllMocks(); - }); - - it('init', async () => { - await act(async () => { - const { result, waitForNextUpdate } = renderHook(() => - useGetActionLicense() - ); - await waitForNextUpdate(); - expect(result.current).toEqual(initialData); - }); + appMockRenderer = createAppMockRenderer(); }); it('calls getActionLicense with correct arguments', async () => { const spyOnGetActionLicense = jest.spyOn(api, 'getActionLicense'); - - await act(async () => { - const { waitForNextUpdate } = renderHook(() => - useGetActionLicense() - ); - await waitForNextUpdate(); - await waitForNextUpdate(); - expect(spyOnGetActionLicense).toBeCalledWith(abortCtrl.signal); - }); - }); - - it('gets action license', async () => { - await act(async () => { - const { result, waitForNextUpdate } = renderHook(() => - useGetActionLicense() - ); - await waitForNextUpdate(); - await waitForNextUpdate(); - expect(result.current).toEqual({ - isLoading: false, - isError: false, - actionLicense: actionLicenses[1], - }); + const { waitForNextUpdate } = renderHook(() => useGetActionLicense(), { + wrapper: appMockRenderer.AppWrapper, }); - }); - it('set isLoading to true when posting case', async () => { - await act(async () => { - const { result, waitForNextUpdate } = renderHook(() => - useGetActionLicense() - ); - await waitForNextUpdate(); - expect(result.current.isLoading).toBe(true); - }); + await waitForNextUpdate(); + expect(spyOnGetActionLicense).toBeCalledWith(abortCtrl.signal); }); it('unhappy path', async () => { + const addError = jest.fn(); + + (useToasts as jest.Mock).mockReturnValue({ addError }); const spyOnGetActionLicense = jest.spyOn(api, 'getActionLicense'); spyOnGetActionLicense.mockImplementation(() => { throw new Error('Something went wrong'); }); - await act(async () => { - const { result, waitForNextUpdate } = renderHook(() => - useGetActionLicense() - ); - await waitForNextUpdate(); - await waitForNextUpdate(); - - expect(result.current).toEqual({ - actionLicense: null, - isLoading: false, - isError: true, - }); + const { waitForNextUpdate } = renderHook(() => useGetActionLicense(), { + wrapper: appMockRenderer.AppWrapper, }); + await waitForNextUpdate(); + + expect(addError).toHaveBeenCalled(); }); }); diff --git a/x-pack/plugins/cases/public/containers/use_get_action_license.tsx b/x-pack/plugins/cases/public/containers/use_get_action_license.tsx index 7618f8c06d9ae..a64a449783ba9 100644 --- a/x-pack/plugins/cases/public/containers/use_get_action_license.tsx +++ b/x-pack/plugins/cases/public/containers/use_get_action_license.tsx @@ -5,81 +5,34 @@ * 2.0. */ -import { useCallback, useEffect, useState, useRef } from 'react'; - +import { useQuery } from 'react-query'; import { useToasts } from '../common/lib/kibana'; import { getActionLicense } from './api'; import * as i18n from './translations'; -import { ActionLicense } from './types'; import { ConnectorTypes } from '../../common/api'; - -export interface ActionLicenseState { - actionLicense: ActionLicense | null; - isLoading: boolean; - isError: boolean; -} - -export const initialData: ActionLicenseState = { - actionLicense: null, - isLoading: true, - isError: false, -}; +import { CASE_LICENSE_CACHE_KEY } from './constants'; +import { ServerError } from '../types'; const MINIMUM_LICENSE_REQUIRED_CONNECTOR = ConnectorTypes.jira; -export const useGetActionLicense = (): ActionLicenseState => { - const [actionLicenseState, setActionLicensesState] = useState(initialData); +export const useGetActionLicense = () => { const toasts = useToasts(); - const isCancelledRef = useRef(false); - const abortCtrlRef = useRef(new AbortController()); - - const fetchActionLicense = useCallback(async () => { - try { - isCancelledRef.current = false; - abortCtrlRef.current.abort(); - abortCtrlRef.current = new AbortController(); - setActionLicensesState({ - ...initialData, - isLoading: true, - }); - - const response = await getActionLicense(abortCtrlRef.current.signal); - - if (!isCancelledRef.current) { - setActionLicensesState({ - actionLicense: response.find((l) => l.id === MINIMUM_LICENSE_REQUIRED_CONNECTOR) ?? null, - isLoading: false, - isError: false, - }); - } - } catch (error) { - if (!isCancelledRef.current) { + return useQuery( + [CASE_LICENSE_CACHE_KEY], + async () => { + const abortCtrl = new AbortController(); + const response = await getActionLicense(abortCtrl.signal); + return response.find((l) => l.id === MINIMUM_LICENSE_REQUIRED_CONNECTOR) ?? null; + }, + { + onError: (error: ServerError) => { if (error.name !== 'AbortError') { toasts.addError( error.body && error.body.message ? new Error(error.body.message) : error, { title: i18n.ERROR_TITLE } ); } - - setActionLicensesState({ - actionLicense: null, - isLoading: false, - isError: true, - }); - } + }, } - // eslint-disable-next-line react-hooks/exhaustive-deps - }, [actionLicenseState]); - - useEffect(() => { - fetchActionLicense(); - - return () => { - isCancelledRef.current = true; - abortCtrlRef.current.abort(); - }; - // eslint-disable-next-line react-hooks/exhaustive-deps - }, []); - - return { ...actionLicenseState }; + ); }; diff --git a/x-pack/plugins/cases/public/containers/use_update_case.test.tsx b/x-pack/plugins/cases/public/containers/use_update_case.test.tsx index 52ab9d3a3ebc5..f3fc3caa3718d 100644 --- a/x-pack/plugins/cases/public/containers/use_update_case.test.tsx +++ b/x-pack/plugins/cases/public/containers/use_update_case.test.tsx @@ -10,23 +10,21 @@ import { useUpdateCase, UseUpdateCase } from './use_update_case'; import { basicCase } from './mock'; import * as api from './api'; import { UpdateKey } from './types'; +import { useRefreshCaseViewPage } from '../components/case_view/use_on_refresh_case_view_page'; jest.mock('./api'); jest.mock('../common/lib/kibana'); +jest.mock('../components/case_view/use_on_refresh_case_view_page'); describe('useUpdateCase', () => { const abortCtrl = new AbortController(); - const fetchCaseUserActions = jest.fn(); - const updateCase = jest.fn(); const updateKey: UpdateKey = 'description'; const onSuccess = jest.fn(); const onError = jest.fn(); const sampleUpdate = { - fetchCaseUserActions, updateKey, updateValue: 'updated description', - updateCase, caseData: basicCase, onSuccess, onError, @@ -71,7 +69,7 @@ describe('useUpdateCase', () => { }); }); - it('patch case', async () => { + it('patch case and refresh the case page', async () => { await act(async () => { const { result, waitForNextUpdate } = renderHook(() => useUpdateCase({ caseId: basicCase.id }) @@ -85,8 +83,7 @@ describe('useUpdateCase', () => { isError: false, updateCaseProperty: result.current.updateCaseProperty, }); - expect(fetchCaseUserActions).toBeCalledWith(basicCase.id, 'none'); - expect(updateCase).toBeCalledWith(basicCase); + expect(useRefreshCaseViewPage()).toHaveBeenCalled(); expect(onSuccess).toHaveBeenCalled(); }); }); diff --git a/x-pack/plugins/cases/public/containers/use_update_case.tsx b/x-pack/plugins/cases/public/containers/use_update_case.tsx index eedaf1fca7a8e..ac358ec0a2bbc 100644 --- a/x-pack/plugins/cases/public/containers/use_update_case.tsx +++ b/x-pack/plugins/cases/public/containers/use_update_case.tsx @@ -12,6 +12,7 @@ import { patchCase } from './api'; import { UpdateKey, UpdateByKey } from '../../common/ui/types'; import * as i18n from './translations'; import { createUpdateSuccessToaster } from './utils'; +import { useRefreshCaseViewPage } from '../components/case_view/use_on_refresh_case_view_page'; interface NewCaseState { isLoading: boolean; @@ -65,17 +66,10 @@ export const useUpdateCase = ({ caseId }: { caseId: string }): UseUpdateCase => const toasts = useToasts(); const isCancelledRef = useRef(false); const abortCtrlRef = useRef(new AbortController()); + const refreshCaseViewPage = useRefreshCaseViewPage(); const dispatchUpdateCaseProperty = useCallback( - async ({ - fetchCaseUserActions, - updateKey, - updateValue, - updateCase, - caseData, - onSuccess, - onError, - }: UpdateByKey) => { + async ({ updateKey, updateValue, caseData, onSuccess, onError }: UpdateByKey) => { try { isCancelledRef.current = false; abortCtrlRef.current.abort(); @@ -90,12 +84,7 @@ export const useUpdateCase = ({ caseId }: { caseId: string }): UseUpdateCase => ); if (!isCancelledRef.current) { - if (fetchCaseUserActions != null) { - fetchCaseUserActions(caseId, response[0].connector.id); - } - if (updateCase != null) { - updateCase(response[0]); - } + refreshCaseViewPage(); dispatch({ type: 'FETCH_SUCCESS' }); toasts.addSuccess( createUpdateSuccessToaster(caseData, response[0], updateKey, updateValue) diff --git a/x-pack/plugins/cases/public/containers/use_update_comment.test.tsx b/x-pack/plugins/cases/public/containers/use_update_comment.test.tsx index 9e5358a5f8b5e..27786f445ef20 100644 --- a/x-pack/plugins/cases/public/containers/use_update_comment.test.tsx +++ b/x-pack/plugins/cases/public/containers/use_update_comment.test.tsx @@ -8,13 +8,15 @@ import React from 'react'; import { renderHook, act } from '@testing-library/react-hooks'; import { useUpdateComment, UseUpdateComment } from './use_update_comment'; -import { basicCase, basicCaseCommentPatch } from './mock'; +import { basicCase } from './mock'; import * as api from './api'; import { TestProviders } from '../common/mock'; import { SECURITY_SOLUTION_OWNER } from '../../common/constants'; +import { useRefreshCaseViewPage } from '../components/case_view/use_on_refresh_case_view_page'; jest.mock('./api'); jest.mock('../common/lib/kibana'); +jest.mock('../components/case_view/use_on_refresh_case_view_page'); describe('useUpdateComment', () => { const abortCtrl = new AbortController(); @@ -82,8 +84,7 @@ describe('useUpdateComment', () => { isError: false, patchComment: result.current.patchComment, }); - expect(fetchUserActions).toBeCalled(); - expect(updateCase).toBeCalledWith(basicCaseCommentPatch); + expect(useRefreshCaseViewPage()).toBeCalled(); }); }); diff --git a/x-pack/plugins/cases/public/containers/use_update_comment.tsx b/x-pack/plugins/cases/public/containers/use_update_comment.tsx index 1a457237d2e64..772d40bff77bc 100644 --- a/x-pack/plugins/cases/public/containers/use_update_comment.tsx +++ b/x-pack/plugins/cases/public/containers/use_update_comment.tsx @@ -8,9 +8,9 @@ import { useReducer, useCallback, useRef, useEffect } from 'react'; import { useToasts } from '../common/lib/kibana'; import { useCasesContext } from '../components/cases_context/use_cases_context'; +import { useRefreshCaseViewPage } from '../components/case_view/use_on_refresh_case_view_page'; import { patchComment } from './api'; import * as i18n from './translations'; -import { Case } from './types'; interface CommentUpdateState { isLoadingIds: string[]; @@ -55,13 +55,11 @@ interface UpdateComment { caseId: string; commentId: string; commentUpdate: string; - fetchUserActions: () => void; - updateCase: (newCase: Case) => void; version: string; } export interface UseUpdateComment extends CommentUpdateState { - patchComment: ({ caseId, commentId, commentUpdate, fetchUserActions }: UpdateComment) => void; + patchComment: ({ caseId, commentId, commentUpdate }: UpdateComment) => void; } export const useUpdateComment = (): UseUpdateComment => { @@ -75,23 +73,17 @@ export const useUpdateComment = (): UseUpdateComment => { // this hook guarantees that there will be at least one value in the owner array, we'll // just use the first entry just in case there are more than one entry const owner = useCasesContext().owner[0]; + const refreshCaseViewPage = useRefreshCaseViewPage(); const dispatchUpdateComment = useCallback( - async ({ - caseId, - commentId, - commentUpdate, - fetchUserActions, - updateCase, - version, - }: UpdateComment) => { + async ({ caseId, commentId, commentUpdate, version }: UpdateComment) => { try { isCancelledRef.current = false; abortCtrlRef.current.abort(); abortCtrlRef.current = new AbortController(); dispatch({ type: 'FETCH_INIT', payload: commentId }); - const response = await patchComment({ + await patchComment({ caseId, commentId, commentUpdate, @@ -101,8 +93,7 @@ export const useUpdateComment = (): UseUpdateComment => { }); if (!isCancelledRef.current) { - updateCase(response); - fetchUserActions(); + refreshCaseViewPage(); dispatch({ type: 'FETCH_SUCCESS', payload: { commentId } }); } } catch (error) { @@ -117,8 +108,7 @@ export const useUpdateComment = (): UseUpdateComment => { } } }, - // eslint-disable-next-line react-hooks/exhaustive-deps - [] + [owner, refreshCaseViewPage, toasts] ); useEffect( diff --git a/x-pack/plugins/cloud/public/plugin.test.ts b/x-pack/plugins/cloud/public/plugin.test.ts index 36be9e590f216..666af04b4bee6 100644 --- a/x-pack/plugins/cloud/public/plugin.test.ts +++ b/x-pack/plugins/cloud/public/plugin.test.ts @@ -136,6 +136,7 @@ describe('Cloud Plugin', () => { await expect(firstValueFrom(context$)).resolves.toEqual({ userId: '5ef112cfdae3dea57097bc276e275b2816e73ef2a398dc0ffaf5b6b4e3af2041', + isElasticCloudUser: false, }); }); @@ -150,7 +151,7 @@ describe('Cloud Plugin', () => { ([{ name }]) => name === 'cloud_user_id' )!; - const hashId1 = await firstValueFrom(context1$); + const { userId: hashId1 } = (await firstValueFrom(context1$)) as { userId: string }; expect(hashId1).not.toEqual(expectedHashedPlainUsername); const { coreSetup: coreSetup2 } = await setupPlugin({ @@ -163,7 +164,7 @@ describe('Cloud Plugin', () => { ([{ name }]) => name === 'cloud_user_id' )!; - const hashId2 = await firstValueFrom(context2$); + const { userId: hashId2 } = (await firstValueFrom(context2$)) as { userId: string }; expect(hashId2).not.toEqual(expectedHashedPlainUsername); expect(hashId1).not.toEqual(hashId2); @@ -186,6 +187,7 @@ describe('Cloud Plugin', () => { await expect(firstValueFrom(context$)).resolves.toEqual({ userId: expectedHashedPlainUsername, + isElasticCloudUser: true, }); }); @@ -203,6 +205,7 @@ describe('Cloud Plugin', () => { await expect(firstValueFrom(context$)).resolves.toEqual({ userId: expectedHashedPlainUsername, + isElasticCloudUser: false, }); }); @@ -217,7 +220,10 @@ describe('Cloud Plugin', () => { ([{ name }]) => name === 'cloud_user_id' )!; - await expect(firstValueFrom(context$)).resolves.toEqual({ userId: undefined }); + await expect(firstValueFrom(context$)).resolves.toEqual({ + userId: undefined, + isElasticCloudUser: false, + }); }); }); diff --git a/x-pack/plugins/cloud/public/plugin.tsx b/x-pack/plugins/cloud/public/plugin.tsx index 1bccf219225dc..219303b2ea7bc 100644 --- a/x-pack/plugins/cloud/public/plugin.tsx +++ b/x-pack/plugins/cloud/public/plugin.tsx @@ -267,22 +267,35 @@ export class CloudPlugin implements Plugin { user.authentication_realm?.type === 'saml' && user.authentication_realm?.name === 'cloud-saml-kibana' ) { - // If authenticated via Cloud SAML, use the SAML username as the user ID - return user.username; + // If the user is managed by ESS, use the plain username as the user ID: + // The username is expected to be unique for these users, + // and it matches how users are identified in the Cloud UI, so it allows us to correlate them. + return { userId: user.username, isElasticCloudUser: true }; } - return cloudId ? `${cloudId}:${user.username}` : user.username; + return { + // For the rest of the authentication providers, we want to add the cloud deployment ID to make it unique. + // Especially in the case of Elasticsearch-backed authentication, where users are commonly repeated + // across multiple deployments (i.e.: `elastic` superuser). + userId: cloudId ? `${cloudId}:${user.username}` : user.username, + isElasticCloudUser: false, + }; }), - // Join the cloud org id and the user to create a truly unique user id. // The hashing here is to keep it at clear as possible in our source code that we do not send literal user IDs - map((userId) => ({ userId: sha256(userId) })), - catchError(() => of({ userId: undefined })) + map(({ userId, isElasticCloudUser }) => ({ userId: sha256(userId), isElasticCloudUser })), + catchError(() => of({ userId: undefined, isElasticCloudUser: false })) ), schema: { userId: { type: 'keyword', _meta: { description: 'The user id scoped as seen by Cloud (hashed)' }, }, + isElasticCloudUser: { + type: 'boolean', + _meta: { + description: '`true` if the user is managed by ESS.', + }, + }, }, }); } diff --git a/x-pack/plugins/cloud_security_posture/common/constants.ts b/x-pack/plugins/cloud_security_posture/common/constants.ts index 99e626b328889..872b5353d31a1 100644 --- a/x-pack/plugins/cloud_security_posture/common/constants.ts +++ b/x-pack/plugins/cloud_security_posture/common/constants.ts @@ -7,10 +7,10 @@ export const INFO_ROUTE_PATH = '/internal/cloud_security_posture/setup_status'; export const STATS_ROUTE_PATH = '/internal/cloud_security_posture/stats'; -export const FINDINGS_ROUTE_PATH = '/internal/cloud_security_posture/findings'; export const BENCHMARKS_ROUTE_PATH = '/internal/cloud_security_posture/benchmarks'; export const UPDATE_RULES_CONFIG_ROUTE_PATH = '/internal/cloud_security_posture/update_rules_config'; +export const ES_PIT_ROUTE_PATH = '/internal/cloud_security_posture/es_pit'; export const CLOUD_SECURITY_POSTURE_PACKAGE_NAME = 'cloud_security_posture'; @@ -23,6 +23,8 @@ export const LATEST_FINDINGS_INDEX_DEFAULT_NS = 'logs-' + LATEST_FINDINGS_INDEX_ export const BENCHMARK_SCORE_INDEX_NAME = 'cloud_security_posture.scores'; export const BENCHMARK_SCORE_INDEX_DEFAULT_NS = 'logs-' + BENCHMARK_SCORE_INDEX_NAME + '-default'; +export const CSP_INGEST_TIMESTAMP_PIPELINE = 'cloud_security_posture_add_ingest_timestamp_pipeline'; + export const RULE_PASSED = `passed`; export const RULE_FAILED = `failed`; diff --git a/x-pack/plugins/cloud_security_posture/common/schemas/csp_configuration.ts b/x-pack/plugins/cloud_security_posture/common/schemas/csp_configuration.ts index a796ace382d13..2a3a1f1152540 100644 --- a/x-pack/plugins/cloud_security_posture/common/schemas/csp_configuration.ts +++ b/x-pack/plugins/cloud_security_posture/common/schemas/csp_configuration.ts @@ -6,6 +6,7 @@ */ import { schema as rt, TypeOf } from '@kbn/config-schema'; +// cspRulesConfigSchema have to be correspond to DataYaml struct in https://github.com/elastic/cloudbeat/blob/main/config/config.go#L44-L50 export const cspRulesConfigSchema = rt.object({ data_yaml: rt.object({ activated_rules: rt.object({ diff --git a/x-pack/plugins/cloud_security_posture/kibana.json b/x-pack/plugins/cloud_security_posture/kibana.json index 5c7f40891ea2f..ca140cd032644 100755 --- a/x-pack/plugins/cloud_security_posture/kibana.json +++ b/x-pack/plugins/cloud_security_posture/kibana.json @@ -10,6 +10,6 @@ "description": "The cloud security posture plugin", "server": true, "ui": true, - "requiredPlugins": ["navigation", "data", "fleet", "unifiedSearch"], + "requiredPlugins": ["navigation", "data", "fleet", "unifiedSearch", "taskManager"], "requiredBundles": ["kibanaReact"] } diff --git a/x-pack/plugins/cloud_security_posture/public/application/app.tsx b/x-pack/plugins/cloud_security_posture/public/application/app.tsx index c18a9c0083026..4ff36e379648d 100755 --- a/x-pack/plugins/cloud_security_posture/public/application/app.tsx +++ b/x-pack/plugins/cloud_security_posture/public/application/app.tsx @@ -18,7 +18,9 @@ import { UnknownRoute } from '../components/unknown_route'; import type { CspClientPluginStartDeps } from '../types'; import { pageToComponentMapping } from './constants'; -const queryClient = new QueryClient(); +const queryClient = new QueryClient({ + defaultOptions: { queries: { refetchOnWindowFocus: false } }, +}); export interface CspAppDeps { core: CoreStart; diff --git a/x-pack/plugins/cloud_security_posture/public/common/api/use_latest_findings_data_view.ts b/x-pack/plugins/cloud_security_posture/public/common/api/use_latest_findings_data_view.ts index 21708c3be1f5e..8f7a9c9b59d5e 100644 --- a/x-pack/plugins/cloud_security_posture/public/common/api/use_latest_findings_data_view.ts +++ b/x-pack/plugins/cloud_security_posture/public/common/api/use_latest_findings_data_view.ts @@ -7,6 +7,7 @@ import { useQuery } from 'react-query'; import { useKibana } from '@kbn/kibana-react-plugin/public'; +import type { DataView } from '@kbn/data-plugin/common'; import { CSP_LATEST_FINDINGS_DATA_VIEW } from '../../../common/constants'; import { CspClientPluginStartDeps } from '../../types'; @@ -18,8 +19,14 @@ export const useLatestFindingsDataView = () => { data: { dataViews }, } = useKibana().services; - // TODO: use `dataViews.get(ID)` - const findDataView = async () => (await dataViews.find(CSP_LATEST_FINDINGS_DATA_VIEW))?.[0]; + const findDataView = async (): Promise => { + const dataView = (await dataViews.find(CSP_LATEST_FINDINGS_DATA_VIEW))?.[0]; + if (!dataView) { + throw new Error('Findings data view not found'); + } - return useQuery(['latest_findings_dataview'], findDataView); + return dataView; + }; + + return useQuery(['latest_findings_data_view'], findDataView); }; diff --git a/x-pack/plugins/cloud_security_posture/public/common/navigation/use_csp_breadcrumbs.ts b/x-pack/plugins/cloud_security_posture/public/common/navigation/use_csp_breadcrumbs.ts index ca2ee7cd5f9e8..32ade5badafb0 100644 --- a/x-pack/plugins/cloud_security_posture/public/common/navigation/use_csp_breadcrumbs.ts +++ b/x-pack/plugins/cloud_security_posture/public/common/navigation/use_csp_breadcrumbs.ts @@ -8,10 +8,22 @@ import type { ChromeBreadcrumb, CoreStart } from '@kbn/core/public'; import { useEffect } from 'react'; import { useKibana } from '@kbn/kibana-react-plugin/public'; -import { PLUGIN_ID } from '../../../common'; +import { type RouteProps, useRouteMatch, useHistory } from 'react-router-dom'; import type { CspNavigationItem } from './types'; import { CLOUD_POSTURE } from './translations'; +const getClickableBreadcrumb = ( + routeMatch: RouteProps['path'], + breadcrumbPath: CspNavigationItem['path'] +) => { + const hasParams = breadcrumbPath.includes(':'); + if (hasParams) return; + + if (routeMatch !== breadcrumbPath) { + return breadcrumbPath.startsWith('/') ? `${breadcrumbPath}` : `/${breadcrumbPath}`; + } +}; + export const useCspBreadcrumbs = (breadcrumbs: CspNavigationItem[]) => { const { services: { @@ -19,22 +31,33 @@ export const useCspBreadcrumbs = (breadcrumbs: CspNavigationItem[]) => { application: { getUrlForApp }, }, } = useKibana(); + const match = useRouteMatch(); + const history = useHistory(); useEffect(() => { - const cspPath = getUrlForApp(PLUGIN_ID); - const additionalBreadCrumbs: ChromeBreadcrumb[] = breadcrumbs.map((breadcrumb) => ({ - text: breadcrumb.name, - path: breadcrumb.path.startsWith('/') - ? `${cspPath}${breadcrumb.path}` - : `${cspPath}/${breadcrumb.path}`, - })); + const additionalBreadCrumbs: ChromeBreadcrumb[] = breadcrumbs.map((breadcrumb) => { + const clickableLink = getClickableBreadcrumb(match.path, breadcrumb.path); + + return { + text: breadcrumb.name, + ...(clickableLink && { + onClick: (e) => { + e.preventDefault(); + history.push(clickableLink); + }, + }), + }; + }); setBreadcrumbs([ { text: CLOUD_POSTURE, - href: cspPath, + onClick: (e) => { + e.preventDefault(); + history.push(`/`); + }, }, ...additionalBreadCrumbs, ]); - }, [getUrlForApp, setBreadcrumbs, breadcrumbs]); + }, [match.path, getUrlForApp, setBreadcrumbs, breadcrumbs, history]); }; diff --git a/x-pack/plugins/cloud_security_posture/public/common/navigation/use_navigate_to_cis_integration.ts b/x-pack/plugins/cloud_security_posture/public/common/navigation/use_navigate_to_cis_integration.ts index a6a63847f5c77..19949e352eaaf 100644 --- a/x-pack/plugins/cloud_security_posture/public/common/navigation/use_navigate_to_cis_integration.ts +++ b/x-pack/plugins/cloud_security_posture/public/common/navigation/use_navigate_to_cis_integration.ts @@ -5,12 +5,24 @@ * 2.0. */ -import { pagePathGetters } from '@kbn/fleet-plugin/public'; +import { pagePathGetters, pkgKeyFromPackageInfo } from '@kbn/fleet-plugin/public'; +import { useCisKubernetesIntegration } from '../api/use_cis_kubernetes_integration'; import { useKibana } from '../hooks/use_kibana'; -const CIS_INTEGRATION_PATH = pagePathGetters.integrations_all({ searchTerm: 'CIS' }).join(''); - -export const useCISIntegrationLink = () => { +export const useCISIntegrationLink = (): string | undefined => { const { http } = useKibana().services; - return http.basePath.prepend(CIS_INTEGRATION_PATH); + const cisIntegration = useCisKubernetesIntegration(); + + if (!cisIntegration.isSuccess) return; + + const path = pagePathGetters + .integration_details_overview({ + pkgkey: pkgKeyFromPackageInfo({ + name: cisIntegration.data.item.name, + version: cisIntegration.data.item.version, + }), + }) + .join('/'); + + return http.basePath.prepend(path); }; diff --git a/x-pack/plugins/cloud_security_posture/public/components/csp_loading_state.tsx b/x-pack/plugins/cloud_security_posture/public/components/csp_loading_state.tsx index 4b6059ca76711..21a01c9f52ace 100644 --- a/x-pack/plugins/cloud_security_posture/public/components/csp_loading_state.tsx +++ b/x-pack/plugins/cloud_security_posture/public/components/csp_loading_state.tsx @@ -5,17 +5,28 @@ * 2.0. */ -import { EuiFlexGroup, EuiFlexItem, EuiLoadingSpinner } from '@elastic/eui'; +import { EuiFlexGroup, EuiFlexItem, EuiLoadingSpinner, useEuiTheme } from '@elastic/eui'; import React from 'react'; +import { css } from '@emotion/react'; export const CspLoadingState: React.FunctionComponent<{ ['data-test-subj']?: string }> = ({ children, ...rest -}) => ( - - - - - {children} - -); +}) => { + const { euiTheme } = useEuiTheme(); + return ( + + + + + {children} + + ); +}; diff --git a/x-pack/plugins/cloud_security_posture/public/components/csp_page_template.test.tsx b/x-pack/plugins/cloud_security_posture/public/components/csp_page_template.test.tsx index 82c3d15735049..d41d2c1c65e81 100644 --- a/x-pack/plugins/cloud_security_posture/public/components/csp_page_template.test.tsx +++ b/x-pack/plugins/cloud_security_posture/public/components/csp_page_template.test.tsx @@ -132,6 +132,22 @@ describe('', () => { ); }); + it('renders default loading text when query is idle', () => { + const query = createReactQueryResponse({ + status: 'idle', + }) as unknown as UseQueryResult; + + const children = chance.sentence(); + renderCspPageTemplate({ children, query }); + + expect(screen.getByTestId(LOADING_STATE_TEST_SUBJECT)).toBeInTheDocument(); + expect(screen.queryByText(children)).not.toBeInTheDocument(); + expect(screen.queryByTestId(ERROR_STATE_TEST_SUBJECT)).not.toBeInTheDocument(); + packageNotInstalledUniqueTexts.forEach((text) => + expect(screen.queryByText(text)).not.toBeInTheDocument() + ); + }); + it('renders default error texts when query isError', () => { const error = chance.sentence(); const message = chance.sentence(); diff --git a/x-pack/plugins/cloud_security_posture/public/components/csp_page_template.tsx b/x-pack/plugins/cloud_security_posture/public/components/csp_page_template.tsx index 975d5949bbae9..24ac368b0ec01 100644 --- a/x-pack/plugins/cloud_security_posture/public/components/csp_page_template.tsx +++ b/x-pack/plugins/cloud_security_posture/public/components/csp_page_template.tsx @@ -81,7 +81,7 @@ export const LOADING_STATE_TEST_SUBJECT = 'csp_page_template_loading'; export const ERROR_STATE_TEST_SUBJECT = 'csp_page_template_error'; const getPackageNotInstalledNoDataConfig = ( - cisIntegrationLink: string + cisIntegrationLink?: string ): KibanaPageTemplateProps['noDataConfig'] => ({ pageTitle: PACKAGE_NOT_INSTALLED_TEXT.PAGE_TITLE, solution: PACKAGE_NOT_INSTALLED_TEXT.SOLUTION, @@ -91,6 +91,7 @@ const getPackageNotInstalledNoDataConfig = ( actions: { elasticAgent: { href: cisIntegrationLink, + isDisabled: !cisIntegrationLink, title: PACKAGE_NOT_INSTALLED_TEXT.BUTTON_TITLE, description: PACKAGE_NOT_INSTALLED_TEXT.DESCRIPTION, }, @@ -188,7 +189,9 @@ export const CspPageTemplate = ({ }; const render = () => { - if (query?.isLoading || cisKubernetesPackageInfo.isLoading) return loadingRender(); + if (query?.isLoading || query?.isIdle || cisKubernetesPackageInfo.isLoading) { + return loadingRender(); + } if (query?.isError) return errorRender(query.error); if (query?.isSuccess) return children; diff --git a/x-pack/plugins/cloud_security_posture/public/pages/benchmarks/benchmarks.tsx b/x-pack/plugins/cloud_security_posture/public/pages/benchmarks/benchmarks.tsx index 1b1ac705a63bc..4177f6d15c50c 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/benchmarks/benchmarks.tsx +++ b/x-pack/plugins/cloud_security_posture/public/pages/benchmarks/benchmarks.tsx @@ -46,6 +46,7 @@ const AddCisIntegrationButton = () => { fill iconType="plusInCircle" href={cisIntegrationLink} + isDisabled={!cisIntegrationLink} > { const [query, setQuery] = useState({ name: '', page: 1, - perPage: 5, + perPage: 10, sortField: 'package_policy.name', sortOrder: 'asc', }); diff --git a/x-pack/plugins/cloud_security_posture/public/pages/findings/constants.ts b/x-pack/plugins/cloud_security_posture/public/pages/findings/constants.ts new file mode 100644 index 0000000000000..d4a14320fe225 --- /dev/null +++ b/x-pack/plugins/cloud_security_posture/public/pages/findings/constants.ts @@ -0,0 +1,10 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export const FINDINGS_PIT_KEEP_ALIVE = '2m'; +// Set to half of the PIT keep alive to make sure we keep the PIT window open as long as the components are mounted +export const FINDINGS_REFETCH_INTERVAL_MS = 1000 * 60; // One minute diff --git a/x-pack/plugins/cloud_security_posture/public/pages/findings/es_pit/findings_es_pit_context.ts b/x-pack/plugins/cloud_security_posture/public/pages/findings/es_pit/findings_es_pit_context.ts new file mode 100644 index 0000000000000..54105ad21495f --- /dev/null +++ b/x-pack/plugins/cloud_security_posture/public/pages/findings/es_pit/findings_es_pit_context.ts @@ -0,0 +1,20 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { createContext, type MutableRefObject } from 'react'; +import type { UseQueryResult } from 'react-query'; + +interface FindingsEsPitContextValue { + setPitId(newPitId: string): void; + pitIdRef: MutableRefObject; + pitQuery: UseQueryResult; +} + +// Default value should never be used, it can not be instantiated statically. Always wrap in a provider with a value +export const FindingsEsPitContext = createContext( + {} as FindingsEsPitContextValue +); diff --git a/x-pack/plugins/cloud_security_posture/public/pages/findings/es_pit/use_findings_es_pit.ts b/x-pack/plugins/cloud_security_posture/public/pages/findings/es_pit/use_findings_es_pit.ts new file mode 100644 index 0000000000000..d7d7d6cbe3415 --- /dev/null +++ b/x-pack/plugins/cloud_security_posture/public/pages/findings/es_pit/use_findings_es_pit.ts @@ -0,0 +1,44 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { useCallback, useRef, useState } from 'react'; +import { useQuery } from 'react-query'; +import { CSP_LATEST_FINDINGS_DATA_VIEW, ES_PIT_ROUTE_PATH } from '../../../../common/constants'; +import { useKibana } from '../../../common/hooks/use_kibana'; +import { FINDINGS_PIT_KEEP_ALIVE } from '../constants'; + +export const useFindingsEsPit = (queryKey: string) => { + // Using a reference for the PIT ID to avoid re-rendering when it changes + const pitIdRef = useRef(); + // Using this state as an internal control to ensure we run the query to open the PIT once and only once + const [isPitIdSet, setPitIdSet] = useState(false); + const setPitId = useCallback( + (newPitId: string) => { + pitIdRef.current = newPitId; + setPitIdSet(true); + }, + [pitIdRef, setPitIdSet] + ); + + const { http } = useKibana().services; + const pitQuery = useQuery( + ['findingsPitQuery', queryKey], + () => + http.post(ES_PIT_ROUTE_PATH, { + query: { index_name: CSP_LATEST_FINDINGS_DATA_VIEW, keep_alive: FINDINGS_PIT_KEEP_ALIVE }, + }), + { + enabled: !isPitIdSet, + onSuccess: (pitId) => { + setPitId(pitId); + }, + cacheTime: 0, + } + ); + + return { pitIdRef, setPitId, pitQuery }; +}; diff --git a/x-pack/plugins/cloud_security_posture/public/pages/findings/findings.tsx b/x-pack/plugins/cloud_security_posture/public/pages/findings/findings.tsx index 4fa5c33903477..599ab03545a2c 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/findings/findings.tsx +++ b/x-pack/plugins/cloud_security_posture/public/pages/findings/findings.tsx @@ -5,7 +5,10 @@ * 2.0. */ import React from 'react'; +import type { UseQueryResult } from 'react-query'; import { Redirect, Switch, Route, useLocation } from 'react-router-dom'; +import { useFindingsEsPit } from './es_pit/use_findings_es_pit'; +import { FindingsEsPitContext } from './es_pit/findings_es_pit_context'; import { useLatestFindingsDataView } from '../../common/api/use_latest_findings_data_view'; import { allNavigationItems, findingsNavigation } from '../../common/navigation/constants'; import { CspPageTemplate } from '../../components/csp_page_template'; @@ -15,37 +18,51 @@ import { LatestFindingsContainer } from './latest_findings/latest_findings_conta export const Findings = () => { const location = useLocation(); const dataViewQuery = useLatestFindingsDataView(); + // TODO: Consider splitting the PIT window so that each "group by" view has its own PIT + const { pitQuery, pitIdRef, setPitId } = useFindingsEsPit('findings'); - if (!dataViewQuery.data) return ; + let queryForPageTemplate: UseQueryResult = dataViewQuery; + if (pitQuery.isError || pitQuery.isLoading || pitQuery.isIdle) { + queryForPageTemplate = pitQuery; + } return ( - - - ( - - )} - /> - } - /> - } - /> - } - /> - + + , + setPitId, + }} + > + + ( + + )} + /> + } + /> + } + /> + } + /> + + ); }; diff --git a/x-pack/plugins/cloud_security_posture/public/pages/findings/latest_findings/latest_findings_container.test.tsx b/x-pack/plugins/cloud_security_posture/public/pages/findings/latest_findings/latest_findings_container.test.tsx index 29c9df5f4a932..9172872f839c9 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/findings/latest_findings/latest_findings_container.test.tsx +++ b/x-pack/plugins/cloud_security_posture/public/pages/findings/latest_findings/latest_findings_container.test.tsx @@ -4,6 +4,8 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ +import type { UseQueryResult } from 'react-query'; +import { createReactQueryResponse } from '../../../test/fixtures/react_query'; import React from 'react'; import { render } from '@testing-library/react'; import { LatestFindingsContainer, getDefaultQuery } from './latest_findings_container'; @@ -19,6 +21,7 @@ import { RisonObject } from 'rison-node'; import { buildEsQuery } from '@kbn/es-query'; import { getFindingsCountAggQuery } from '../use_findings_count'; import { getPaginationQuery } from '../utils'; +import { FindingsEsPitContext } from '../es_pit/findings_es_pit_context'; jest.mock('../../../common/api/use_latest_findings_data_view'); jest.mock('../../../common/api/use_cis_kubernetes_integration'); @@ -47,6 +50,13 @@ describe('', () => { search: encodeQuery(query as unknown as RisonObject), }); + const setPitId = jest.fn(); + const pitIdRef = { current: '' }; + const pitQuery = createReactQueryResponse({ + status: 'success', + data: '', + }) as UseQueryResult; + render( ', () => { unifiedSearch: unifiedSearchPluginMock.createStartContract(), }} > - + + + ); const baseQuery = { - index: dataView.title, query: buildEsQuery(dataView, query.query, query.filters), + pitId: pitIdRef.current, }; expect(dataMock.search.search).toHaveBeenNthCalledWith(1, { diff --git a/x-pack/plugins/cloud_security_posture/public/pages/findings/latest_findings/latest_findings_container.tsx b/x-pack/plugins/cloud_security_posture/public/pages/findings/latest_findings/latest_findings_container.tsx index a7a3d2682e015..e5e72bf379734 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/findings/latest_findings/latest_findings_container.tsx +++ b/x-pack/plugins/cloud_security_posture/public/pages/findings/latest_findings/latest_findings_container.tsx @@ -6,9 +6,9 @@ */ import React, { useMemo } from 'react'; import { EuiSpacer } from '@elastic/eui'; -import type { DataView } from '@kbn/data-plugin/common'; import { FormattedMessage } from '@kbn/i18n-react'; import { number } from 'io-ts'; +import type { FindingsBaseProps } from '../types'; import { FindingsTable } from './latest_findings_table'; import { FindingsSearchBar } from '../layout/findings_search_bar'; import * as TEST_SUBJECTS from '../test_subjects'; @@ -32,7 +32,7 @@ export const getDefaultQuery = (): FindingsBaseURLQuery & FindingsGroupByNoneQue pageSize: 10, }); -export const LatestFindingsContainer = ({ dataView }: { dataView: DataView }) => { +export const LatestFindingsContainer = ({ dataView }: FindingsBaseProps) => { useCspBreadcrumbs([findingsNavigation.findings_default]); const { urlQuery, setUrlQuery } = useUrlQuery(getDefaultQuery); diff --git a/x-pack/plugins/cloud_security_posture/public/pages/findings/latest_findings/use_latest_findings.ts b/x-pack/plugins/cloud_security_posture/public/pages/findings/latest_findings/use_latest_findings.ts index 750b79ffb04a6..fbbd821e8aae9 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/findings/latest_findings/use_latest_findings.ts +++ b/x-pack/plugins/cloud_security_posture/public/pages/findings/latest_findings/use_latest_findings.ts @@ -4,6 +4,7 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ +import { useContext } from 'react'; import { useQuery } from 'react-query'; import { number } from 'io-ts'; import { lastValueFrom } from 'rxjs'; @@ -11,11 +12,14 @@ import type { IEsSearchResponse } from '@kbn/data-plugin/common'; import type { CoreStart } from '@kbn/core/public'; import type { Criteria, Pagination } from '@elastic/eui'; import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; +import { FindingsEsPitContext } from '../es_pit/findings_es_pit_context'; import { extractErrorMessage } from '../../../../common/utils/helpers'; import * as TEXT from '../translations'; +import type { CspFindingsQueryData } from '../types'; import type { CspFinding, FindingsQueryResult } from '../types'; import { useKibana } from '../../../common/hooks/use_kibana'; import type { FindingsBaseEsQuery } from '../types'; +import { FINDINGS_REFETCH_INTERVAL_MS } from '../constants'; interface UseFindingsOptions extends FindingsBaseEsQuery { from: NonNullable; @@ -31,12 +35,7 @@ export interface FindingsGroupByNoneQuery { sort: Sort; } -interface CspFindingsData { - page: CspFinding[]; - total: number; -} - -export type CspFindingsResult = FindingsQueryResult; +export type CspFindingsResult = FindingsQueryResult; const FIELDS_WITHOUT_KEYWORD_MAPPING = new Set([ '@timestamp', @@ -57,35 +56,55 @@ export const showErrorToast = ( else toasts.addDanger(extractErrorMessage(error, TEXT.SEARCH_FAILED)); }; -export const getFindingsQuery = ({ index, query, size, from, sort }: UseFindingsOptions) => ({ - index, +export const getFindingsQuery = ({ + query, + size, + from, + sort, + pitId, +}: UseFindingsOptions & { pitId: string }) => ({ query, size, from, sort: [{ [getSortKey(sort.field)]: sort.direction }], + pit: { id: pitId }, + ignore_unavailable: false, }); -export const useLatestFindings = ({ index, query, sort, from, size }: UseFindingsOptions) => { +export const useLatestFindings = ({ query, sort, from, size }: UseFindingsOptions) => { const { data, notifications: { toasts }, } = useKibana().services; + const { pitIdRef, setPitId } = useContext(FindingsEsPitContext); + const pitId = pitIdRef.current; - return useQuery( - ['csp_findings', { index, query, sort, from, size }], + return useQuery< + IEsSearchResponse, + unknown, + CspFindingsQueryData & { newPitId: string } + >( + ['csp_findings', { query, sort, from, size, pitId }], () => lastValueFrom>( data.search.search({ - params: getFindingsQuery({ index, query, sort, from, size }), + params: getFindingsQuery({ query, sort, from, size, pitId }), }) ), { keepPreviousData: true, - select: ({ rawResponse: { hits } }) => ({ + select: ({ rawResponse: { hits, pit_id: newPitId } }) => ({ page: hits.hits.map((hit) => hit._source!), total: number.is(hits.total) ? hits.total : 0, + newPitId: newPitId!, }), onError: (err) => showErrorToast(toasts, err), + onSuccess: ({ newPitId }) => { + setPitId(newPitId); + }, + // Refetching on an interval to ensure the PIT window stays open + refetchInterval: FINDINGS_REFETCH_INTERVAL_MS, + refetchIntervalInBackground: true, } ); }; diff --git a/x-pack/plugins/cloud_security_posture/public/pages/findings/latest_findings_by_resource/findings_by_resource_container.tsx b/x-pack/plugins/cloud_security_posture/public/pages/findings/latest_findings_by_resource/findings_by_resource_container.tsx index c4cea2cb8f9dc..726f727a7d933 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/findings/latest_findings_by_resource/findings_by_resource_container.tsx +++ b/x-pack/plugins/cloud_security_posture/public/pages/findings/latest_findings_by_resource/findings_by_resource_container.tsx @@ -5,13 +5,12 @@ * 2.0. */ import React from 'react'; -import type { DataView } from '@kbn/data-plugin/common'; import { Route, Switch } from 'react-router-dom'; import { FormattedMessage } from '@kbn/i18n-react'; import { FindingsSearchBar } from '../layout/findings_search_bar'; import * as TEST_SUBJECTS from '../test_subjects'; import { useUrlQuery } from '../../../common/hooks/use_url_query'; -import type { FindingsBaseURLQuery } from '../types'; +import type { FindingsBaseProps, FindingsBaseURLQuery } from '../types'; import { FindingsByResourceQuery, useFindingsByResource } from './use_findings_by_resource'; import { FindingsByResourceTable } from './findings_by_resource_table'; import { getBaseQuery, getPaginationQuery, getPaginationTableParams } from '../utils'; @@ -28,7 +27,7 @@ const getDefaultQuery = (): FindingsBaseURLQuery & FindingsByResourceQuery => ({ pageSize: 10, }); -export const FindingsByResourceContainer = ({ dataView }: { dataView: DataView }) => ( +export const FindingsByResourceContainer = ({ dataView }: FindingsBaseProps) => ( ); -const LatestFindingsByResource = ({ dataView }: { dataView: DataView }) => { +const LatestFindingsByResource = ({ dataView }: FindingsBaseProps) => { useCspBreadcrumbs([findingsNavigation.findings_by_resource]); const { urlQuery, setUrlQuery } = useUrlQuery(getDefaultQuery); const findingsGroupByResource = useFindingsByResource({ diff --git a/x-pack/plugins/cloud_security_posture/public/pages/findings/latest_findings_by_resource/resource_findings/resource_findings_container.tsx b/x-pack/plugins/cloud_security_posture/public/pages/findings/latest_findings_by_resource/resource_findings/resource_findings_container.tsx index f9e59c0707fac..0c9015e28e3f9 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/findings/latest_findings_by_resource/resource_findings/resource_findings_container.tsx +++ b/x-pack/plugins/cloud_security_posture/public/pages/findings/latest_findings_by_resource/resource_findings/resource_findings_container.tsx @@ -6,7 +6,6 @@ */ import React from 'react'; import { EuiSpacer, EuiButtonEmpty } from '@elastic/eui'; -import type { DataView } from '@kbn/data-plugin/common'; import { Link, useParams } from 'react-router-dom'; import { FormattedMessage } from '@kbn/i18n-react'; import { useEuiTheme } from '@elastic/eui'; @@ -17,7 +16,7 @@ import { useCspBreadcrumbs } from '../../../../common/navigation/use_csp_breadcr import { findingsNavigation } from '../../../../common/navigation/constants'; import { ResourceFindingsQuery, useResourceFindings } from './use_resource_findings'; import { useUrlQuery } from '../../../../common/hooks/use_url_query'; -import type { FindingsBaseURLQuery } from '../../types'; +import type { FindingsBaseProps, FindingsBaseURLQuery } from '../../types'; import { getBaseQuery, getPaginationQuery, getPaginationTableParams } from '../../utils'; import { ResourceFindingsTable } from './resource_findings_table'; import { FindingsSearchBar } from '../../layout/findings_search_bar'; @@ -40,7 +39,7 @@ const BackToResourcesButton = () => ( ); -export const ResourceFindings = ({ dataView }: { dataView: DataView }) => { +export const ResourceFindings = ({ dataView }: FindingsBaseProps) => { useCspBreadcrumbs([findingsNavigation.findings_default]); const { euiTheme } = useEuiTheme(); const params = useParams<{ resourceId: string }>(); diff --git a/x-pack/plugins/cloud_security_posture/public/pages/findings/latest_findings_by_resource/resource_findings/use_resource_findings.ts b/x-pack/plugins/cloud_security_posture/public/pages/findings/latest_findings_by_resource/resource_findings/use_resource_findings.ts index 9e015d84e2043..f47938edcfe85 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/findings/latest_findings_by_resource/resource_findings/use_resource_findings.ts +++ b/x-pack/plugins/cloud_security_posture/public/pages/findings/latest_findings_by_resource/resource_findings/use_resource_findings.ts @@ -9,8 +9,12 @@ import { lastValueFrom } from 'rxjs'; import { IEsSearchResponse } from '@kbn/data-plugin/common'; import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import { Pagination } from '@elastic/eui'; +import { useContext } from 'react'; +import { FindingsEsPitContext } from '../../es_pit/findings_es_pit_context'; +import { FINDINGS_REFETCH_INTERVAL_MS } from '../../constants'; import { useKibana } from '../../../../common/hooks/use_kibana'; import { showErrorToast } from '../../latest_findings/use_latest_findings'; +import type { CspFindingsQueryData } from '../../types'; import type { CspFinding, FindingsBaseEsQuery, FindingsQueryResult } from '../../types'; interface UseResourceFindingsOptions extends FindingsBaseEsQuery { @@ -24,19 +28,15 @@ export interface ResourceFindingsQuery { pageSize: Pagination['pageSize']; } -export type ResourceFindingsResult = FindingsQueryResult< - ReturnType['data'] | undefined, - unknown ->; +export type ResourceFindingsResult = FindingsQueryResult; const getResourceFindingsQuery = ({ - index, query, resourceId, from, size, -}: UseResourceFindingsOptions): estypes.SearchRequest => ({ - index, + pitId, +}: UseResourceFindingsOptions & { pitId: string }): estypes.SearchRequest => ({ from, size, body: { @@ -47,11 +47,12 @@ const getResourceFindingsQuery = ({ filter: [...(query?.bool?.filter || []), { term: { 'resource_id.keyword': resourceId } }], }, }, + pit: { id: pitId }, }, + ignore_unavailable: false, }); export const useResourceFindings = ({ - index, query, resourceId, from, @@ -62,21 +63,35 @@ export const useResourceFindings = ({ notifications: { toasts }, } = useKibana().services; - return useQuery( - ['csp_resource_findings', { index, query, resourceId, from, size }], + const { pitIdRef, setPitId } = useContext(FindingsEsPitContext); + const pitId = pitIdRef.current; + + return useQuery< + IEsSearchResponse, + unknown, + CspFindingsQueryData & { newPitId: string } + >( + ['csp_resource_findings', { query, resourceId, from, size, pitId }], () => lastValueFrom>( data.search.search({ - params: getResourceFindingsQuery({ index, query, resourceId, from, size }), + params: getResourceFindingsQuery({ query, resourceId, from, size, pitId }), }) ), { keepPreviousData: true, - select: ({ rawResponse: { hits } }) => ({ + select: ({ rawResponse: { hits, pit_id: newPitId } }) => ({ page: hits.hits.map((hit) => hit._source!), total: hits.total as number, + newPitId: newPitId!, }), onError: (err) => showErrorToast(toasts, err), + onSuccess: ({ newPitId }) => { + setPitId(newPitId); + }, + // Refetching on an interval to ensure the PIT window stays open + refetchInterval: FINDINGS_REFETCH_INTERVAL_MS, + refetchIntervalInBackground: true, } ); }; diff --git a/x-pack/plugins/cloud_security_posture/public/pages/findings/latest_findings_by_resource/use_findings_by_resource.ts b/x-pack/plugins/cloud_security_posture/public/pages/findings/latest_findings_by_resource/use_findings_by_resource.ts index 92480fbb56b79..9201a0520d12f 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/findings/latest_findings_by_resource/use_findings_by_resource.ts +++ b/x-pack/plugins/cloud_security_posture/public/pages/findings/latest_findings_by_resource/use_findings_by_resource.ts @@ -4,11 +4,14 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ +import { useContext } from 'react'; import { useQuery } from 'react-query'; import { lastValueFrom } from 'rxjs'; import { IKibanaSearchRequest, IKibanaSearchResponse } from '@kbn/data-plugin/common'; import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import type { Pagination } from '@elastic/eui'; +import { FindingsEsPitContext } from '../es_pit/findings_es_pit_context'; +import { FINDINGS_REFETCH_INTERVAL_MS } from '../constants'; import { useKibana } from '../../../common/hooks/use_kibana'; import { showErrorToast } from '../latest_findings/use_latest_findings'; import type { FindingsBaseEsQuery, FindingsQueryResult } from '../types'; @@ -31,8 +34,26 @@ type FindingsAggResponse = IKibanaSearchResponse< estypes.SearchResponse<{}, FindingsByResourceAggs> >; +interface FindingsByResourcePage { + failed_findings: { + count: number; + normalized: number; + total_findings: number; + }; + resource_id: string; + resource_name: string; + resource_subtype: string; + cluster_id: string; + cis_sections: string[]; +} + +interface UseFindingsByResourceData { + page: FindingsByResourcePage[]; + total: number; +} + export type CspFindingsByResourceResult = FindingsQueryResult< - ReturnType['data'], + UseFindingsByResourceData | undefined, unknown >; @@ -50,12 +71,11 @@ interface FindingsAggBucket extends estypes.AggregationsStringRareTermsBucketKey } export const getFindingsByResourceAggQuery = ({ - index, query, from, size, -}: UseResourceFindingsOptions): estypes.SearchRequest => ({ - index, + pitId, +}: UseResourceFindingsOptions & { pitId: string }): estypes.SearchRequest => ({ body: { query, size: 0, @@ -95,23 +115,28 @@ export const getFindingsByResourceAggQuery = ({ }, }, }, + pit: { id: pitId }, }, + ignore_unavailable: false, }); -export const useFindingsByResource = ({ index, query, from, size }: UseResourceFindingsOptions) => { +export const useFindingsByResource = ({ query, from, size }: UseResourceFindingsOptions) => { const { data, notifications: { toasts }, } = useKibana().services; - return useQuery( - ['csp_findings_resource', { index, query, size, from }], + const { pitIdRef, setPitId } = useContext(FindingsEsPitContext); + const pitId = pitIdRef.current; + + return useQuery( + ['csp_findings_resource', { query, size, from, pitId }], () => lastValueFrom( data.search.search({ - params: getFindingsByResourceAggQuery({ index, query, from, size }), + params: getFindingsByResourceAggQuery({ query, from, size, pitId }), }) - ).then(({ rawResponse: { aggregations } }) => { + ).then(({ rawResponse: { aggregations, pit_id: newPitId } }) => { if (!aggregations) throw new Error('expected aggregations to be defined'); if (!Array.isArray(aggregations.resources.buckets)) @@ -120,16 +145,23 @@ export const useFindingsByResource = ({ index, query, from, size }: UseResourceF return { page: aggregations.resources.buckets.map(createFindingsByResource), total: aggregations.resource_total.value, + newPitId: newPitId!, }; }), { keepPreviousData: true, onError: (err) => showErrorToast(toasts, err), + onSuccess: ({ newPitId }) => { + setPitId(newPitId); + }, + // Refetching on an interval to ensure the PIT window stays open + refetchInterval: FINDINGS_REFETCH_INTERVAL_MS, + refetchIntervalInBackground: true, } ); }; -const createFindingsByResource = (resource: FindingsAggBucket) => { +const createFindingsByResource = (resource: FindingsAggBucket): FindingsByResourcePage => { if ( !Array.isArray(resource.cis_sections.buckets) || !Array.isArray(resource.name.buckets) || diff --git a/x-pack/plugins/cloud_security_posture/public/pages/findings/types.ts b/x-pack/plugins/cloud_security_posture/public/pages/findings/types.ts index 2d31c1dff7d66..4f562b638f6d1 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/findings/types.ts +++ b/x-pack/plugins/cloud_security_posture/public/pages/findings/types.ts @@ -4,8 +4,9 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ +import type { DataView } from '@kbn/data-views-plugin/common'; import type { BoolQuery, Filter, Query } from '@kbn/es-query'; -import { UseQueryResult } from 'react-query'; +import type { UseQueryResult } from 'react-query'; export type FindingsGroupByKind = 'default' | 'resource'; @@ -14,8 +15,11 @@ export interface FindingsBaseURLQuery { filters: Filter[]; } +export interface FindingsBaseProps { + dataView: DataView; +} + export interface FindingsBaseEsQuery { - index: string; query?: { bool: BoolQuery; }; @@ -98,3 +102,8 @@ interface CspFindingAgent { name: string; type: string; } + +export interface CspFindingsQueryData { + page: CspFinding[]; + total: number; +} diff --git a/x-pack/plugins/cloud_security_posture/public/pages/findings/use_findings_count.ts b/x-pack/plugins/cloud_security_posture/public/pages/findings/use_findings_count.ts index a63a3fac32c8b..051ab68f77c62 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/findings/use_findings_count.ts +++ b/x-pack/plugins/cloud_security_posture/public/pages/findings/use_findings_count.ts @@ -8,9 +8,11 @@ import { useQuery } from 'react-query'; import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import { lastValueFrom } from 'rxjs'; import type { IKibanaSearchRequest, IKibanaSearchResponse } from '@kbn/data-plugin/public'; +import { useContext } from 'react'; import { useKibana } from '../../common/hooks/use_kibana'; import { showErrorToast } from './latest_findings/use_latest_findings'; import type { FindingsBaseEsQuery } from './types'; +import { FindingsEsPitContext } from './es_pit/findings_es_pit_context'; type FindingsAggRequest = IKibanaSearchRequest; type FindingsAggResponse = IKibanaSearchResponse>; @@ -23,40 +25,57 @@ interface FindingsAggs extends estypes.AggregationsMultiBucketAggregateBase { }; } -export const getFindingsCountAggQuery = ({ index, query }: FindingsBaseEsQuery) => ({ - index, +interface UseFindingsCounterData { + passed: number; + failed: number; +} + +export const getFindingsCountAggQuery = ({ + query, + pitId, +}: FindingsBaseEsQuery & { pitId: string }) => ({ size: 0, track_total_hits: true, body: { query, aggs: { count: { terms: { field: 'result.evaluation.keyword' } } }, + pit: { id: pitId }, }, + ignore_unavailable: false, }); -export const useFindingsCounter = ({ index, query }: FindingsBaseEsQuery) => { +export const useFindingsCounter = ({ query }: FindingsBaseEsQuery) => { const { data, notifications: { toasts }, } = useKibana().services; - return useQuery( - ['csp_findings_counts', { index, query }], + const { pitIdRef, setPitId } = useContext(FindingsEsPitContext); + const pitId = pitIdRef.current; + + return useQuery( + ['csp_findings_counts', { query, pitId }], () => lastValueFrom( data.search.search({ - params: getFindingsCountAggQuery({ index, query }), + params: getFindingsCountAggQuery({ query, pitId }), }) ), { keepPreviousData: true, onError: (err) => showErrorToast(toasts, err), - select: (response) => - Object.fromEntries( + select: (response) => ({ + ...(Object.fromEntries( response.rawResponse.aggregations!.count.buckets.map((bucket) => [ bucket.key, bucket.doc_count, ])! - ) as Record<'passed' | 'failed', number>, + ) as { passed: number; failed: number }), + newPitId: response.rawResponse.pit_id!, + }), + onSuccess: ({ newPitId }) => { + setPitId(newPitId); + }, } ); }; diff --git a/x-pack/plugins/cloud_security_posture/public/pages/findings/utils.ts b/x-pack/plugins/cloud_security_posture/public/pages/findings/utils.ts index 5f4d574930370..6120085c179d7 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/findings/utils.ts +++ b/x-pack/plugins/cloud_security_posture/public/pages/findings/utils.ts @@ -6,16 +6,15 @@ */ import { buildEsQuery } from '@kbn/es-query'; -import type { DataView } from '@kbn/data-plugin/common'; import { EuiBasicTableProps, Pagination } from '@elastic/eui'; +import { FindingsBaseProps } from './types'; import type { FindingsBaseEsQuery, FindingsBaseURLQuery } from './types'; export const getBaseQuery = ({ dataView, query, filters, -}: FindingsBaseURLQuery & { dataView: DataView }): FindingsBaseEsQuery => ({ - index: dataView.title, +}: FindingsBaseURLQuery & FindingsBaseProps): FindingsBaseEsQuery => ({ // TODO: this will throw for malformed query // page will display an error boundary with the JS error // will be accounted for before releasing the feature diff --git a/x-pack/plugins/cloud_security_posture/public/pages/rules/index.tsx b/x-pack/plugins/cloud_security_posture/public/pages/rules/index.tsx index 6157a22c9738d..bf109893aa1a4 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/rules/index.tsx +++ b/x-pack/plugins/cloud_security_posture/public/pages/rules/index.tsx @@ -6,10 +6,11 @@ */ import React, { useMemo } from 'react'; -import { RouteComponentProps } from 'react-router-dom'; -import { EuiTextColor, EuiEmptyPrompt } from '@elastic/eui'; +import { generatePath, Link, RouteComponentProps } from 'react-router-dom'; +import { EuiTextColor, EuiEmptyPrompt, EuiButtonEmpty, EuiFlexGroup } from '@elastic/eui'; import * as t from 'io-ts'; import type { KibanaPageTemplateProps } from '@kbn/kibana-react-plugin/public'; +import { FormattedMessage } from '@kbn/i18n-react'; import { RulesContainer, type PageUrlParams } from './rules_container'; import { allNavigationItems } from '../../common/navigation/constants'; import { useCspBreadcrumbs } from '../../common/navigation/use_csp_breadcrumbs'; @@ -36,12 +37,36 @@ export const Rules = ({ match: { params } }: RouteComponentProps) const pageProps: KibanaPageTemplateProps = useMemo( () => ({ pageHeader: { - bottomBorder: false, // TODO: border still shows. - pageTitle: 'Rules', + pageTitle: ( + + + + + + + + + ), description: integrationInfo.data && integrationInfo.data.package && ( - + + + ), }, }), @@ -49,13 +74,15 @@ export const Rules = ({ match: { params } }: RouteComponentProps) ); return ( - } - > - {integrationInfo.status === 'success' && } - + <> + } + > + {integrationInfo.status === 'success' && } + + ); }; @@ -71,10 +98,6 @@ const extractErrorBodyMessage = (err: unknown) => { return extractErrorMessage(err); }; -const PageDescription = ({ text }: { text: string }) => ( - {text} -); - const RulesErrorPrompt = ({ error }: { error: string }) => ( { filter: `${cspRuleAssetSavedObjectType}.attributes.policy_id: "${params.policyId}" and ${cspRuleAssetSavedObjectType}.attributes.package_policy_id: "${params.packagePolicyId}"`, search: '', page: 0, - perPage: 5, + perPage: 10, }); const { data, status, error, refetch } = useFindCspRules({ diff --git a/x-pack/plugins/cloud_security_posture/public/pages/rules/rules_table.tsx b/x-pack/plugins/cloud_security_posture/public/pages/rules/rules_table.tsx index bf0e4781ccbfc..785c501c97563 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/rules/rules_table.tsx +++ b/x-pack/plugins/cloud_security_posture/public/pages/rules/rules_table.tsx @@ -58,7 +58,7 @@ export const RulesTable = ({ pageIndex: page, pageSize, totalItemCount: total, - pageSizeOptions: [1, 5, 10, 25], + pageSizeOptions: [10, 25, 100], }; const selection: EuiBasicTableProps['selection'] = { diff --git a/x-pack/plugins/cloud_security_posture/public/pages/rules/use_csp_rules.ts b/x-pack/plugins/cloud_security_posture/public/pages/rules/use_csp_rules.ts index 8c4012f6c8b45..bd6df3116680f 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/rules/use_csp_rules.ts +++ b/x-pack/plugins/cloud_security_posture/public/pages/rules/use_csp_rules.ts @@ -28,20 +28,17 @@ export type RulesQueryResult = ReturnType; export const useFindCspRules = ({ search, page, perPage, filter }: RulesQuery) => { const { savedObjects } = useKibana().services; - return useQuery( - [cspRuleAssetSavedObjectType, { search, page, perPage }], - () => - savedObjects.client.find({ - type: cspRuleAssetSavedObjectType, - search, - searchFields: ['name'], - page: 1, - // NOTE: 'name.raw' is a field mapping we defined on 'name' - sortField: 'name.raw', - perPage, - filter, - }), - { refetchOnWindowFocus: false } + return useQuery([cspRuleAssetSavedObjectType, { search, page, perPage }], () => + savedObjects.client.find({ + type: cspRuleAssetSavedObjectType, + search, + searchFields: ['name'], + page: 1, + // NOTE: 'name.raw' is a field mapping we defined on 'name' + sortField: 'name.raw', + perPage, + filter, + }) ); }; diff --git a/x-pack/plugins/cloud_security_posture/public/test/fixtures/react_query.ts b/x-pack/plugins/cloud_security_posture/public/test/fixtures/react_query.ts index 201a8d85b4278..0169c359b26eb 100644 --- a/x-pack/plugins/cloud_security_posture/public/test/fixtures/react_query.ts +++ b/x-pack/plugins/cloud_security_posture/public/test/fixtures/react_query.ts @@ -33,5 +33,16 @@ export const createReactQueryResponse = ({ return { status, data: undefined, isSuccess: false, isLoading: true, isError: false }; } + if (status === 'idle') { + return { + status, + data: undefined, + isSuccess: false, + isLoading: false, + isError: false, + isIdle: true, + }; + } + return { status }; }; diff --git a/x-pack/plugins/cloud_security_posture/server/create_indices/create_transforms_indices.ts b/x-pack/plugins/cloud_security_posture/server/create_indices/create_indices.ts similarity index 79% rename from x-pack/plugins/cloud_security_posture/server/create_indices/create_transforms_indices.ts rename to x-pack/plugins/cloud_security_posture/server/create_indices/create_indices.ts index 4ee09119c15e4..329be37392c35 100644 --- a/x-pack/plugins/cloud_security_posture/server/create_indices/create_transforms_indices.ts +++ b/x-pack/plugins/cloud_security_posture/server/create_indices/create_indices.ts @@ -5,7 +5,7 @@ * 2.0. */ import { transformError } from '@kbn/securitysolution-es-utils'; -import { MappingTypeMapping } from '@elastic/elasticsearch/lib/api/types'; +import { IndicesIndexSettings, MappingTypeMapping } from '@elastic/elasticsearch/lib/api/types'; import type { ElasticsearchClient, Logger } from '@kbn/core/server'; import { benchmarkScoreMapping } from './benchmark_score_mapping'; import { latestFindingsMapping } from './latest_findings_mapping'; @@ -14,19 +14,20 @@ import { LATEST_FINDINGS_INDEX_NAME, BENCHMARK_SCORE_INDEX_DEFAULT_NS, BENCHMARK_SCORE_INDEX_NAME, + CSP_INGEST_TIMESTAMP_PIPELINE, } from '../../common/constants'; +import { createPipelineIfNotExists } from './create_processor'; // TODO: Add integration tests -export const initializeCspTransformsIndices = async ( - esClient: ElasticsearchClient, - logger: Logger -) => { +export const initializeCspIndices = async (esClient: ElasticsearchClient, logger: Logger) => { + await createPipelineIfNotExists(esClient, CSP_INGEST_TIMESTAMP_PIPELINE, logger); return Promise.all([ createIndexIfNotExists( esClient, LATEST_FINDINGS_INDEX_NAME, LATEST_FINDINGS_INDEX_DEFAULT_NS, latestFindingsMapping, + {}, logger ), createIndexIfNotExists( @@ -34,6 +35,7 @@ export const initializeCspTransformsIndices = async ( BENCHMARK_SCORE_INDEX_NAME, BENCHMARK_SCORE_INDEX_DEFAULT_NS, benchmarkScoreMapping, + { default_pipeline: CSP_INGEST_TIMESTAMP_PIPELINE }, logger ), ]); @@ -44,6 +46,7 @@ export const createIndexIfNotExists = async ( indexTemplateName: string, indexPattern: string, mappings: MappingTypeMapping, + settings: IndicesIndexSettings, logger: Logger ) => { try { @@ -61,6 +64,7 @@ export const createIndexIfNotExists = async ( await esClient.indices.create({ index: indexPattern, mappings, + settings, }); } } catch (err) { diff --git a/x-pack/plugins/cloud_security_posture/server/create_indices/create_processor.ts b/x-pack/plugins/cloud_security_posture/server/create_indices/create_processor.ts new file mode 100644 index 0000000000000..704765afc976c --- /dev/null +++ b/x-pack/plugins/cloud_security_posture/server/create_indices/create_processor.ts @@ -0,0 +1,61 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { transformError } from '@kbn/securitysolution-es-utils'; +import type { ElasticsearchClient, Logger } from '@kbn/core/server'; + +/** + * @param pipelineId - the pipeline id to create. If a pipeline with the same pipelineId already exists, nothing is created or updated. + * + * @return true if the pipeline exits or created, false otherwise. + */ +export const createPipelineIfNotExists = async ( + esClient: ElasticsearchClient, + pipelineId: string, + logger: Logger +) => { + try { + await esClient.ingest.getPipeline({ id: pipelineId }); + logger.trace(`pipeline: ${pipelineId} already exists`); + return true; + } catch (exitErr) { + const exitError = transformError(exitErr); + if (exitError.statusCode === 404) { + try { + await esClient.ingest.putPipeline({ + id: pipelineId, + description: 'Pipeline for adding event timestamp', + processors: [ + { + set: { + field: '@timestamp', + value: '{{_ingest.timestamp}}', + }, + }, + ], + on_failure: [ + { + set: { + field: 'error.message', + value: '{{ _ingest.on_failure_message }}', + }, + }, + ], + }); + logger.trace(`pipeline: ${pipelineId} was created`); + return true; + } catch (existError) { + logger.error(`Failed to create CSP pipeline ${pipelineId}. error: ${existError.message}`); + return false; + } + } else { + logger.error( + `Failed to check if CSP pipeline ${pipelineId} exists. error: ${exitError.message}` + ); + } + } + return false; +}; diff --git a/x-pack/plugins/cloud_security_posture/server/create_transforms/create_transforms.ts b/x-pack/plugins/cloud_security_posture/server/create_transforms/create_transforms.ts index 02217aea35210..cfc85273b1e99 100644 --- a/x-pack/plugins/cloud_security_posture/server/create_transforms/create_transforms.ts +++ b/x-pack/plugins/cloud_security_posture/server/create_transforms/create_transforms.ts @@ -8,17 +8,13 @@ import { transformError } from '@kbn/securitysolution-es-utils'; import { TransformPutTransformRequest } from '@elastic/elasticsearch/lib/api/types'; import type { ElasticsearchClient, Logger } from '@kbn/core/server'; import { latestFindingsTransform } from './latest_findings_transform'; -import { benchmarkScoreTransform } from './benchmark_score_transform'; // TODO: Move transforms to integration package export const initializeCspTransforms = async ( esClient: ElasticsearchClient, logger: Logger ): Promise => { - await Promise.all([ - initializeTransform(esClient, latestFindingsTransform, logger), - initializeTransform(esClient, benchmarkScoreTransform, logger), - ]); + await initializeTransform(esClient, latestFindingsTransform, logger); }; export const initializeTransform = async ( diff --git a/x-pack/plugins/cloud_security_posture/server/fleet_integration/fleet_integration.test.ts b/x-pack/plugins/cloud_security_posture/server/fleet_integration/fleet_integration.test.ts index b9d62b668ee96..45b93e8279614 100644 --- a/x-pack/plugins/cloud_security_posture/server/fleet_integration/fleet_integration.test.ts +++ b/x-pack/plugins/cloud_security_posture/server/fleet_integration/fleet_integration.test.ts @@ -19,7 +19,7 @@ import { createPackagePolicyMock, deletePackagePolicyMock } from '@kbn/fleet-plu import { CLOUD_SECURITY_POSTURE_PACKAGE_NAME } from '../../common/constants'; import { onPackagePolicyPostCreateCallback, - onPackagePolicyDeleteCallback, + removeCspRulesInstancesCallback, } from './fleet_integration'; describe('create CSP rules with post package create callback', () => { @@ -109,10 +109,10 @@ describe('create CSP rules with post package create callback', () => { ], pit_id: undefined, } as unknown as SavedObjectsFindResponse); - await onPackagePolicyDeleteCallback( - logger, + await removeCspRulesInstancesCallback( mockDeletePackagePolicy[0], - savedObjectRepositoryMock + savedObjectRepositoryMock, + logger ); expect(savedObjectRepositoryMock.find.mock.calls[0][0]).toMatchObject({ perPage: 10000 }); diff --git a/x-pack/plugins/cloud_security_posture/server/fleet_integration/fleet_integration.ts b/x-pack/plugins/cloud_security_posture/server/fleet_integration/fleet_integration.ts index 67995936f113e..16bebd252ee49 100644 --- a/x-pack/plugins/cloud_security_posture/server/fleet_integration/fleet_integration.ts +++ b/x-pack/plugins/cloud_security_posture/server/fleet_integration/fleet_integration.ts @@ -17,10 +17,7 @@ import { cloudSecurityPostureRuleTemplateSavedObjectType, CloudSecurityPostureRuleTemplateSchema, } from '../../common/schemas/csp_rule_template'; -import { - CLOUD_SECURITY_POSTURE_PACKAGE_NAME, - cspRuleAssetSavedObjectType, -} from '../../common/constants'; +import { cspRuleAssetSavedObjectType } from '../../common/constants'; import { CspRuleSchema } from '../../common/schemas/csp_rule'; type ArrayElement = ArrayType extends ReadonlyArray< @@ -29,12 +26,6 @@ type ArrayElement = ArrayType extends Read ? ElementType : never; -const isCspPackagePolicy = ( - packagePolicy: T -): boolean => { - return packagePolicy.package?.name === CLOUD_SECURITY_POSTURE_PACKAGE_NAME; -}; - /** * Callback to handle creation of PackagePolicies in Fleet */ @@ -43,10 +34,6 @@ export const onPackagePolicyPostCreateCallback = async ( packagePolicy: PackagePolicy, savedObjectsClient: SavedObjectsClientContract ): Promise => { - // We only care about Cloud Security Posture package policies - if (!isCspPackagePolicy(packagePolicy)) { - return; - } // Create csp-rules from the generic asset const existingRuleTemplates: SavedObjectsFindResponse = await savedObjectsClient.find({ @@ -76,10 +63,10 @@ export const onPackagePolicyPostCreateCallback = async ( /** * Callback to handle deletion of PackagePolicies in Fleet */ -export const onPackagePolicyDeleteCallback = async ( - logger: Logger, +export const removeCspRulesInstancesCallback = async ( deletedPackagePolicy: ArrayElement, - soClient: ISavedObjectsRepository + soClient: ISavedObjectsRepository, + logger: Logger ): Promise => { try { const { saved_objects: cspRules }: SavedObjectsFindResponse = @@ -97,6 +84,27 @@ export const onPackagePolicyDeleteCallback = async ( } }; +export const isCspPackageInstalled = async ( + soClient: ISavedObjectsRepository, + logger: Logger +): Promise => { + // TODO: check if CSP package installed via the Fleet API + try { + const { saved_objects: postDeleteRules }: SavedObjectsFindResponse = + await soClient.find({ + type: cspRuleAssetSavedObjectType, + }); + + if (!postDeleteRules.length) { + return true; + } + return false; + } catch (e) { + logger.error(e); + return false; + } +}; + const generateRulesFromTemplates = ( packagePolicyId: string, policyId: string, diff --git a/x-pack/plugins/cloud_security_posture/server/lib/task_manager_util.ts b/x-pack/plugins/cloud_security_posture/server/lib/task_manager_util.ts new file mode 100644 index 0000000000000..190ba8aa7e2a2 --- /dev/null +++ b/x-pack/plugins/cloud_security_posture/server/lib/task_manager_util.ts @@ -0,0 +1,47 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { TaskManagerStartContract } from '@kbn/task-manager-plugin/server'; +import { transformError } from '@kbn/securitysolution-es-utils'; +import type { Logger } from '@kbn/core/server'; +import type { TaskInstance } from '@kbn/task-manager-plugin/server'; + +type Require = Omit & Required>; +type TaskInstanceWithId = Require; + +export async function scheduleTaskSafe( + taskManager: TaskManagerStartContract, + taskConfig: TaskInstanceWithId, + logger: Logger +): Promise { + try { + await taskManager.ensureScheduled(taskConfig); + logger.info(`Task: ${taskConfig.id} is scheduled`); + } catch (errMsg) { + const error = transformError(errMsg); + logger.error(`Error scheduling task, received ${error.message}`); + return false; + } + + return true; +} + +export async function removeTaskSafe( + taskManager: TaskManagerStartContract, + taskId: string, + logger: Logger +): Promise { + try { + await taskManager.remove(taskId); + logger.info(`Task: ${taskId} removed`); + } catch (errMsg) { + logger.error(`Failed to remove task: ${taskId}`); + return false; + } + + return true; +} diff --git a/x-pack/plugins/cloud_security_posture/server/plugin.test.ts b/x-pack/plugins/cloud_security_posture/server/plugin.test.ts index 43dc550a677a9..535f9653365b7 100644 --- a/x-pack/plugins/cloud_security_posture/server/plugin.test.ts +++ b/x-pack/plugins/cloud_security_posture/server/plugin.test.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { coreMock, httpServerMock, savedObjectsClientMock } from '@kbn/core/server/mocks'; +import { coreMock, httpServerMock } from '@kbn/core/server/mocks'; import { createPackagePolicyServiceMock, createArtifactsClientMock, @@ -13,31 +13,38 @@ import { createMockAgentService, createMockAgentPolicyService, } from '@kbn/fleet-plugin/server/mocks'; +import { taskManagerMock } from '@kbn/task-manager-plugin/server/mocks'; -import { createPackagePolicyMock } from '@kbn/fleet-plugin/common/mocks'; +import { createPackagePolicyMock, deletePackagePolicyMock } from '@kbn/fleet-plugin/common/mocks'; import { dataPluginMock } from '@kbn/data-plugin/server/mocks'; import { CspPlugin } from './plugin'; import { CspServerPluginStartDeps } from './types'; -import { createFleetAuthzMock, Installation } from '@kbn/fleet-plugin/common'; +import { + createFleetAuthzMock, + Installation, + PackagePolicy, + UpdatePackagePolicy, +} from '@kbn/fleet-plugin/common'; import { ExternalCallback, FleetStartContract, + PostPackagePolicyDeleteCallback, PostPackagePolicyPostCreateCallback, } from '@kbn/fleet-plugin/server'; import { CLOUD_SECURITY_POSTURE_PACKAGE_NAME } from '../common/constants'; import Chance from 'chance'; import type { AwaitedProperties } from '@kbn/utility-types'; import type { DeeplyMockedKeys } from '@kbn/utility-types/jest'; -import { RequestHandlerContext } from '@kbn/core/server'; +import { + ElasticsearchClient, + RequestHandlerContext, + SavedObjectsClientContract, +} from '@kbn/core/server'; const chance = new Chance(); const mockRouteContext = { - core: { - savedObjects: { - client: savedObjectsClientMock.create(), - }, - }, + core: coreMock.createRequestHandlerContext(), } as unknown as AwaitedProperties; const createMockFleetStartContract = (): DeeplyMockedKeys => { @@ -66,6 +73,7 @@ describe('Cloud Security Posture Plugin', () => { const mockPlugins: CspServerPluginStartDeps = { fleet: fleetMock, data: dataPluginMock.createStartContract(), + taskManager: taskManagerMock.createStart(), }; const contextMock = coreMock.createCustomRequestHandlerContext(mockRouteContext); @@ -198,5 +206,122 @@ describe('Cloud Security Posture Plugin', () => { expect(spy).toHaveBeenCalledTimes(0); }); + + it('packagePolicyPostCreate should return the updated packagePolicy', async () => { + fleetMock.packageService.asInternalUser.getInstallation.mockImplementationOnce( + async (): Promise => { + return; + } + ); + + fleetMock.packagePolicyService.update.mockImplementation( + ( + soClient: SavedObjectsClientContract, + esClient: ElasticsearchClient, + id: string, + packagePolicyUpdate: UpdatePackagePolicy + ): Promise => { + // @ts-expect-error 2322 + return packagePolicyUpdate; + } + ); + + const packageMock = createPackagePolicyMock(); + packageMock.package!.name = CLOUD_SECURITY_POSTURE_PACKAGE_NAME; + packageMock.vars = { dataYaml: { type: 'foo' } }; + + const packagePolicyPostCreateCallbacks: PostPackagePolicyPostCreateCallback[] = []; + fleetMock.registerExternalCallback.mockImplementation((...args) => { + if (args[0] === 'packagePolicyPostCreate') { + packagePolicyPostCreateCallbacks.push(args[1]); + } + }); + + const context = coreMock.createPluginInitializerContext(); + plugin = new CspPlugin(context); + const spy = jest.spyOn(plugin, 'initialize').mockImplementation(); + + // Act + await plugin.start(coreMock.createStart(), mockPlugins); + await mockPlugins.fleet.fleetSetupCompleted(); + + // Assert + expect(fleetMock.packageService.asInternalUser.getInstallation).toHaveBeenCalledTimes(1); + expect(spy).toHaveBeenCalledTimes(0); + + expect(packagePolicyPostCreateCallbacks.length).toBeGreaterThan(0); + + for (const cb of packagePolicyPostCreateCallbacks) { + const updatedPackagePolicy = await cb( + packageMock, + contextMock, + httpServerMock.createKibanaRequest() + ); + if (fleetMock.packagePolicyService.update.mock.calls.length) { + expect(updatedPackagePolicy).toHaveProperty('vars'); + expect(updatedPackagePolicy.vars).toHaveProperty('dataYaml'); + expect(updatedPackagePolicy.vars!.dataYaml).toHaveProperty('value'); + } + } + expect(fleetMock.packagePolicyService.update).toHaveBeenCalledTimes(1); + }); + + it('should uninstall resources when package is removed', async () => { + fleetMock.packageService.asInternalUser.getInstallation.mockImplementationOnce( + async (): Promise => { + return; + } + ); + + const deletedPackagePolicyMock = deletePackagePolicyMock(); + deletedPackagePolicyMock[0].package!.name = CLOUD_SECURITY_POSTURE_PACKAGE_NAME; + + const packagePolicyPostDeleteCallbacks: PostPackagePolicyDeleteCallback[] = []; + fleetMock.registerExternalCallback.mockImplementation((...args) => { + if (args[0] === 'postPackagePolicyDelete') { + packagePolicyPostDeleteCallbacks.push(args[1]); + } + }); + + const coreStart = coreMock.createStart(); + const repositoryFindMock = coreStart.savedObjects.createInternalRepository() + .find as jest.Mock; + + repositoryFindMock.mockReturnValueOnce( + Promise.resolve({ + saved_objects: [ + { + type: 'csp-rule-template', + id: 'csp_rule_template-41308bcdaaf665761478bb6f0d745a5c', + }, + ], + }) + ); + + repositoryFindMock.mockReturnValueOnce( + Promise.resolve({ + saved_objects: [], + }) + ); + + const context = coreMock.createPluginInitializerContext(); + plugin = new CspPlugin(context); + const spy = jest.spyOn(plugin, 'uninstallResources').mockImplementation(); + + // Act + await plugin.start(coreStart, mockPlugins); + await mockPlugins.fleet.fleetSetupCompleted(); + + // Assert + expect(fleetMock.packageService.asInternalUser.getInstallation).toHaveBeenCalledTimes(1); + + expect(packagePolicyPostDeleteCallbacks.length).toBeGreaterThan(0); + + for (const cb of packagePolicyPostDeleteCallbacks) { + await cb(deletedPackagePolicyMock); + } + expect(repositoryFindMock).toHaveBeenCalledTimes(2); + expect(spy).toHaveBeenCalledTimes(1); + }); }); }); diff --git a/x-pack/plugins/cloud_security_posture/server/plugin.ts b/x-pack/plugins/cloud_security_posture/server/plugin.ts index d9fdea9488036..67a52dec24ea0 100755 --- a/x-pack/plugins/cloud_security_posture/server/plugin.ts +++ b/x-pack/plugins/cloud_security_posture/server/plugin.ts @@ -16,6 +16,10 @@ import type { } from '@kbn/core/server'; import { DeepReadonly } from 'utility-types'; import { DeletePackagePoliciesResponse, PackagePolicy } from '@kbn/fleet-plugin/common'; +import { + TaskManagerSetupContract, + TaskManagerStartContract, +} from '@kbn/task-manager-plugin/server'; import { CspAppService } from './lib/csp_app_services'; import type { CspServerPluginSetup, @@ -23,17 +27,26 @@ import type { CspServerPluginSetupDeps, CspServerPluginStartDeps, CspRequestHandlerContext, + CspServerPluginStartServices, } from './types'; import { defineRoutes } from './routes'; import { cspRuleTemplateAssetType } from './saved_objects/csp_rule_template'; import { cspRuleAssetType } from './saved_objects/csp_rule_type'; -import { initializeCspTransformsIndices } from './create_indices/create_transforms_indices'; +import { initializeCspIndices } from './create_indices/create_indices'; import { initializeCspTransforms } from './create_transforms/create_transforms'; import { + isCspPackageInstalled, onPackagePolicyPostCreateCallback, - onPackagePolicyDeleteCallback, + removeCspRulesInstancesCallback, } from './fleet_integration/fleet_integration'; import { CLOUD_SECURITY_POSTURE_PACKAGE_NAME } from '../common/constants'; +import { updateAgentConfiguration } from './routes/configuration/update_rules_configuration'; + +import { + removeFindingsStatsTask, + scheduleFindingsStatsTask, + setupFindingsStatsTask, +} from './tasks/findings_stats_task'; export interface CspAppContext { logger: Logger; @@ -74,6 +87,9 @@ export class CspPlugin // Register server side APIs defineRoutes(router, cspAppContext); + const coreStartServices = core.getStartServices(); + this.setupCspTasks(plugins.taskManager, coreStartServices, this.logger); + return {}; } @@ -90,7 +106,7 @@ export class CspPlugin // If package is installed we want to make sure all needed assets are installed if (packageInfo) { // noinspection ES6MissingAwait - this.initialize(core); + this.initialize(core, plugins.taskManager); } plugins.fleet.registerExternalCallback( @@ -101,9 +117,19 @@ export class CspPlugin _: KibanaRequest ): Promise => { if (packagePolicy.package?.name === CLOUD_SECURITY_POSTURE_PACKAGE_NAME) { - await this.initialize(core); + await this.initialize(core, plugins.taskManager); + const soClient = (await context.core).savedObjects.client; + const esClient = (await context.core).elasticsearch.client.asCurrentUser; await onPackagePolicyPostCreateCallback(this.logger, packagePolicy, soClient); + + const updatedPackagePolicy = await updateAgentConfiguration( + plugins.fleet.packagePolicyService, + packagePolicy, + esClient, + soClient + ); + return updatedPackagePolicy; } return packagePolicy; @@ -115,11 +141,14 @@ export class CspPlugin async (deletedPackagePolicies: DeepReadonly) => { for (const deletedPackagePolicy of deletedPackagePolicies) { if (deletedPackagePolicy.package?.name === CLOUD_SECURITY_POSTURE_PACKAGE_NAME) { - await onPackagePolicyDeleteCallback( - this.logger, - deletedPackagePolicy, - core.savedObjects.createInternalRepository() - ); + const soClient = core.savedObjects.createInternalRepository(); + await removeCspRulesInstancesCallback(deletedPackagePolicy, soClient, this.logger); + + const isPackageExists = await isCspPackageInstalled(soClient, this.logger); + + if (isPackageExists) { + await this.uninstallResources(plugins.taskManager, this.logger); + } } } } @@ -131,9 +160,22 @@ export class CspPlugin public stop() {} - async initialize(core: CoreStart): Promise { + async initialize(core: CoreStart, taskManager: TaskManagerStartContract): Promise { this.logger.debug('initialize'); - await initializeCspTransformsIndices(core.elasticsearch.client.asInternalUser, this.logger); + await initializeCspIndices(core.elasticsearch.client.asInternalUser, this.logger); await initializeCspTransforms(core.elasticsearch.client.asInternalUser, this.logger); + await scheduleFindingsStatsTask(taskManager, this.logger); + } + + async uninstallResources(taskManager: TaskManagerStartContract, logger: Logger): Promise { + await removeFindingsStatsTask(taskManager, logger); + } + + setupCspTasks( + taskManager: TaskManagerSetupContract, + coreStartServices: CspServerPluginStartServices, + logger: Logger + ) { + setupFindingsStatsTask(taskManager, coreStartServices, logger); } } diff --git a/x-pack/plugins/cloud_security_posture/server/routes/configuration/update_rules_configuration.test.ts b/x-pack/plugins/cloud_security_posture/server/routes/configuration/update_rules_configuration.test.ts index d0326fb037b60..26ee8e4f55c52 100644 --- a/x-pack/plugins/cloud_security_posture/server/routes/configuration/update_rules_configuration.test.ts +++ b/x-pack/plugins/cloud_security_posture/server/routes/configuration/update_rules_configuration.test.ts @@ -17,7 +17,7 @@ import { defineUpdateRulesConfigRoute, getCspRules, setVarToPackagePolicy, - updatePackagePolicy, + updateAgentConfiguration, } from './update_rules_configuration'; import { CspAppService } from '../../lib/csp_app_services'; @@ -35,6 +35,7 @@ import { SavedObjectsFindResponse, } from '@kbn/core/server'; import { Chance } from 'chance'; +import { PackagePolicy, UpdatePackagePolicy } from '@kbn/fleet-plugin/common'; describe('Update rules configuration API', () => { let logger: ReturnType; @@ -173,39 +174,130 @@ describe('Update rules configuration API', () => { expect(cspConfig).toMatchObject({ data_yaml: { activated_rules: { cis_k8s: [] } } }); }); - it('validate adding new data.yaml to package policy instance', async () => { + it('validate adding new dataYaml to package policy instance', async () => { const packagePolicy = createPackagePolicyMock(); + packagePolicy.vars = { dataYaml: { type: 'yaml' } }; const dataYaml = 'data_yaml:\n activated_rules:\n cis_k8s:\n - 1.1.1\n - 1.1.2\n'; const updatedPackagePolicy = setVarToPackagePolicy(packagePolicy, dataYaml); + expect(updatedPackagePolicy.vars).toEqual({ dataYaml: { type: 'yaml', value: dataYaml } }); + }); + + it('validate adding new datYaml to package policy instance when it not exists on source', async () => { + const packagePolicy = createPackagePolicyMock(); - expect(updatedPackagePolicy.vars).toEqual({ dataYaml: { type: 'config', value: dataYaml } }); + const dataYaml = 'data_yaml:\n activated_rules:\n cis_k8s:\n - 1.1.1\n - 1.1.2\n'; + const updatedPackagePolicy = setVarToPackagePolicy(packagePolicy, dataYaml); + expect(updatedPackagePolicy.vars).toEqual({ dataYaml: { type: 'yaml', value: dataYaml } }); }); - it('validate updatePackagePolicy is called with the right parameters', async () => { + it('verify that the API for updating package policy was invoked', async () => { mockEsClient = elasticsearchClientMock.createClusterClient().asScoped().asInternalUser; mockSoClient = savedObjectsClientMock.create(); const mockPackagePolicyService = createPackagePolicyServiceMock(); - const packagePolicyId1 = chance.guid(); - const packagePolicyId2 = chance.guid(); - const mockPackagePolicy1 = createPackagePolicyMock(); - const mockPackagePolicy2 = createPackagePolicyMock(); - mockPackagePolicy1.id = packagePolicyId1; - mockPackagePolicy2.id = packagePolicyId2; - const packagePolicies = mockPackagePolicy1; + mockPackagePolicyService.update.mockImplementation( + ( + soClient: SavedObjectsClientContract, + esClient: ElasticsearchClient, + id: string, + packagePolicyUpdate: UpdatePackagePolicy + ): Promise => { + // @ts-expect-error 2322 + return packagePolicyUpdate; + } + ); + + mockSoClient.find.mockResolvedValueOnce({ + page: 1, + per_page: 1000, + total: 2, + saved_objects: [ + { + type: 'csp_rule', + rego_rule_id: '1.1.1', + attributes: { enabled: false, rego_rule_id: 'cis_1_1_1' }, + }, + { + type: 'csp_rule', + attributes: { enabled: false, rego_rule_id: 'cis_1_1_2' }, + }, + { + type: 'csp_rule', + attributes: { enabled: false, rego_rule_id: 'cis_1_1_3' }, + }, + ], + } as unknown as SavedObjectsFindResponse); - const dataYaml = 'activated_rules:\n cis_k8s:\n - 1.1.1\n - 1.1.2\n'; + const mockPackagePolicy = createPackagePolicyMock(); + mockPackagePolicy.vars = { dataYaml: { type: 'foo' } }; + const packagePolicyId1 = chance.guid(); + mockPackagePolicy.id = packagePolicyId1; - await updatePackagePolicy( + const updatePackagePolicy = await updateAgentConfiguration( mockPackagePolicyService, - packagePolicies, + mockPackagePolicy, mockEsClient, - mockSoClient, - dataYaml + mockSoClient ); + expect(updatePackagePolicy.vars!.dataYaml).toHaveProperty('value'); + expect(updatePackagePolicy.vars!.dataYaml).toMatchObject({ type: 'yaml' }); expect(mockPackagePolicyService.update).toBeCalledTimes(1); expect(mockPackagePolicyService.update.mock.calls[0][2]).toEqual(packagePolicyId1); }); + + it('validate updateAgentConfiguration not override vars', async () => { + mockEsClient = elasticsearchClientMock.createClusterClient().asScoped().asInternalUser; + mockSoClient = savedObjectsClientMock.create(); + const mockPackagePolicyService = createPackagePolicyServiceMock(); + + mockSoClient.find.mockResolvedValueOnce({ + page: 1, + per_page: 1000, + total: 2, + saved_objects: [ + { + type: 'csp_rule', + rego_rule_id: '1.1.1', + attributes: { enabled: false, rego_rule_id: 'cis_1_1_1' }, + }, + { + type: 'csp_rule', + attributes: { enabled: false, rego_rule_id: 'cis_1_1_2' }, + }, + { + type: 'csp_rule', + attributes: { enabled: false, rego_rule_id: 'cis_1_1_3' }, + }, + ], + } as unknown as SavedObjectsFindResponse); + + const mockPackagePolicy = createPackagePolicyMock(); + const packagePolicyId1 = chance.guid(); + mockPackagePolicy.id = packagePolicyId1; + mockPackagePolicy.vars = { foo: {}, dataYaml: { type: 'yaml' } }; + + mockPackagePolicyService.update.mockImplementation( + ( + soClient: SavedObjectsClientContract, + esClient: ElasticsearchClient, + id: string, + packagePolicyUpdate: UpdatePackagePolicy + ): Promise => { + // @ts-expect-error 2322 + return packagePolicyUpdate; + } + ); + + const updatedPackagePolicy = await updateAgentConfiguration( + mockPackagePolicyService, + mockPackagePolicy, + mockEsClient, + mockSoClient + ); + + expect(mockPackagePolicyService.update).toBeCalledTimes(1); + expect(updatedPackagePolicy.vars).toHaveProperty('foo'); + }); }); diff --git a/x-pack/plugins/cloud_security_posture/server/routes/configuration/update_rules_configuration.ts b/x-pack/plugins/cloud_security_posture/server/routes/configuration/update_rules_configuration.ts index 72c19fd5e37dd..9f00cef95c696 100644 --- a/x-pack/plugins/cloud_security_posture/server/routes/configuration/update_rules_configuration.ts +++ b/x-pack/plugins/cloud_security_posture/server/routes/configuration/update_rules_configuration.ts @@ -84,25 +84,30 @@ export const setVarToPackagePolicy = ( dataYaml: string ): PackagePolicy => { const configFile: PackagePolicyConfigRecord = { - dataYaml: { type: 'config', value: dataYaml }, + dataYaml: { type: 'yaml', value: dataYaml }, }; const updatedPackagePolicy = produce(packagePolicy, (draft) => { unset(draft, 'id'); - draft.vars = configFile; - // TODO: disable comments after adding base config to integration - // draft.inputs[0].vars = configFile; + if (draft.vars) { + draft.vars.dataYaml = configFile.dataYaml; + } else { + draft.vars = configFile; + } }); return updatedPackagePolicy; }; -export const updatePackagePolicy = ( +export const updateAgentConfiguration = async ( packagePolicyService: PackagePolicyServiceInterface, packagePolicy: PackagePolicy, esClient: ElasticsearchClient, - soClient: SavedObjectsClientContract, - dataYaml: string + soClient: SavedObjectsClientContract ): Promise => { + const cspRules = await getCspRules(soClient, packagePolicy); + const rulesConfig = createRulesConfig(cspRules); + const dataYaml = convertRulesConfigToYaml(rulesConfig); const updatedPackagePolicy = setVarToPackagePolicy(packagePolicy, dataYaml); + return packagePolicyService.update(soClient, esClient, packagePolicy.id, updatedPackagePolicy); }; @@ -133,19 +138,14 @@ export const defineUpdateRulesConfigRoute = (router: CspRouter, cspContext: CspA packagePolicyId ); - const cspRules = await getCspRules(soClient, packagePolicy); - const rulesConfig = createRulesConfig(cspRules); - const dataYaml = convertRulesConfigToYaml(rulesConfig); - - const updatedPackagePolicies = await updatePackagePolicy( - packagePolicyService!, + const updatedPackagePolicy = await updateAgentConfiguration( + packagePolicyService, packagePolicy, esClient, - soClient, - dataYaml + soClient ); - return response.ok({ body: updatedPackagePolicies }); + return response.ok({ body: updatedPackagePolicy }); } catch (err) { const error = transformError(err); cspContext.logger.error( diff --git a/x-pack/plugins/cloud_security_posture/server/routes/es_pit/es_pit.test.ts b/x-pack/plugins/cloud_security_posture/server/routes/es_pit/es_pit.test.ts new file mode 100644 index 0000000000000..fd28ef5db3d55 --- /dev/null +++ b/x-pack/plugins/cloud_security_posture/server/routes/es_pit/es_pit.test.ts @@ -0,0 +1,168 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { Chance } from 'chance'; +// eslint-disable-next-line @kbn/eslint/no-restricted-paths +import { elasticsearchClientMock } from '@kbn/core/server/elasticsearch/client/mocks'; +import type { ElasticsearchClient } from '@kbn/core/server'; +import { httpServerMock, httpServiceMock, loggingSystemMock } from '@kbn/core/server/mocks'; +import { DEFAULT_PIT_KEEP_ALIVE, defineEsPitRoute, esPitInputSchema } from './es_pit'; +import { CspAppService } from '../../lib/csp_app_services'; +import { CspAppContext } from '../../plugin'; + +describe('ES Point in time API endpoint', () => { + const chance = new Chance(); + let mockEsClient: jest.Mocked; + + beforeEach(() => { + jest.clearAllMocks(); + }); + + it('validate the API route path', () => { + const router = httpServiceMock.createRouter(); + const cspContext: CspAppContext = { + logger: loggingSystemMock.createLogger(), + service: new CspAppService(), + }; + + defineEsPitRoute(router, cspContext); + + const [config] = router.post.mock.calls[0]; + expect(config.path).toEqual('/internal/cloud_security_posture/es_pit'); + }); + + it('should accept to a user with fleet.all privilege', async () => { + const router = httpServiceMock.createRouter(); + const cspContext: CspAppContext = { + logger: loggingSystemMock.createLogger(), + service: new CspAppService(), + }; + + defineEsPitRoute(router, cspContext); + + const mockContext = { + fleet: { authz: { fleet: { all: true } } }, + }; + + const mockResponse = httpServerMock.createResponseFactory(); + const mockRequest = httpServerMock.createKibanaRequest(); + const [context, req, res] = [mockContext, mockRequest, mockResponse]; + + const [_, handler] = router.post.mock.calls[0]; + await handler(context, req, res); + + expect(res.forbidden).toHaveBeenCalledTimes(0); + }); + + it('should reject to a user without fleet.all privilege', async () => { + const router = httpServiceMock.createRouter(); + const cspContext: CspAppContext = { + logger: loggingSystemMock.createLogger(), + service: new CspAppService(), + }; + + defineEsPitRoute(router, cspContext); + + const mockContext = { + fleet: { authz: { fleet: { all: false } } }, + }; + + const mockResponse = httpServerMock.createResponseFactory(); + const mockRequest = httpServerMock.createKibanaRequest(); + const [context, req, res] = [mockContext, mockRequest, mockResponse]; + + const [_, handler] = router.post.mock.calls[0]; + await handler(context, req, res); + + expect(res.forbidden).toHaveBeenCalledTimes(1); + }); + + it('should return the newly created PIT ID from ES', async () => { + const router = httpServiceMock.createRouter(); + const cspContext: CspAppContext = { + logger: loggingSystemMock.createLogger(), + service: new CspAppService(), + }; + + defineEsPitRoute(router, cspContext); + + const pitId = chance.string(); + mockEsClient = elasticsearchClientMock.createClusterClient().asScoped().asInternalUser; + mockEsClient.openPointInTime.mockImplementation(() => Promise.resolve({ id: pitId })); + + const mockContext = { + fleet: { authz: { fleet: { all: true } } }, + core: { elasticsearch: { client: { asCurrentUser: mockEsClient } } }, + }; + + const indexName = chance.string(); + const keepAlive = chance.string(); + const mockResponse = httpServerMock.createResponseFactory(); + const mockRequest = httpServerMock.createKibanaRequest({ + query: { index_name: indexName, keep_alive: keepAlive }, + }); + + const [context, req, res] = [mockContext, mockRequest, mockResponse]; + const [_, handler] = router.post.mock.calls[0]; + await handler(context, req, res); + + expect(mockEsClient.openPointInTime).toHaveBeenCalledTimes(1); + expect(mockEsClient.openPointInTime).toHaveBeenLastCalledWith({ + index: indexName, + keep_alive: keepAlive, + }); + + expect(res.ok).toHaveBeenCalledTimes(1); + expect(res.ok).toHaveBeenLastCalledWith({ body: pitId }); + }); + + describe('test input schema', () => { + it('passes keep alive and index name parameters', () => { + const indexName = chance.string(); + const keepAlive = chance.string(); + const validatedQuery = esPitInputSchema.validate({ + index_name: indexName, + keep_alive: keepAlive, + }); + + expect(validatedQuery).toMatchObject({ + index_name: indexName, + keep_alive: keepAlive, + }); + }); + + it('populates default keep alive parameter value', () => { + const indexName = chance.string(); + const validatedQuery = esPitInputSchema.validate({ index_name: indexName }); + + expect(validatedQuery).toMatchObject({ + index_name: indexName, + keep_alive: DEFAULT_PIT_KEEP_ALIVE, + }); + }); + + it('throws when index name parameter is not passed', () => { + expect(() => { + esPitInputSchema.validate({}); + }).toThrow(); + }); + + it('throws when index name parameter is not a string', () => { + const indexName = chance.integer(); + expect(() => { + esPitInputSchema.validate({ index_name: indexName }); + }).toThrow(); + }); + + it('throws when keep alive parameter is not a string', () => { + const indexName = chance.string(); + const keepAlive = chance.integer(); + expect(() => { + esPitInputSchema.validate({ index_name: indexName, keep_alive: keepAlive }); + }).toThrow(); + }); + }); +}); diff --git a/x-pack/plugins/cloud_security_posture/server/routes/es_pit/es_pit.ts b/x-pack/plugins/cloud_security_posture/server/routes/es_pit/es_pit.ts new file mode 100644 index 0000000000000..97f8e9683aa50 --- /dev/null +++ b/x-pack/plugins/cloud_security_posture/server/routes/es_pit/es_pit.ts @@ -0,0 +1,50 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { schema } from '@kbn/config-schema'; +import { transformError } from '@kbn/securitysolution-es-utils'; +import { ES_PIT_ROUTE_PATH } from '../../../common/constants'; +import type { CspAppContext } from '../../plugin'; +import type { CspRouter } from '../../types'; + +export const DEFAULT_PIT_KEEP_ALIVE = '1m'; + +export const esPitInputSchema = schema.object({ + index_name: schema.string(), + keep_alive: schema.string({ defaultValue: DEFAULT_PIT_KEEP_ALIVE }), +}); + +export const defineEsPitRoute = (router: CspRouter, cspContext: CspAppContext): void => + router.post( + { + path: ES_PIT_ROUTE_PATH, + validate: { query: esPitInputSchema }, + }, + async (context, request, response) => { + if (!(await context.fleet).authz.fleet.all) { + return response.forbidden(); + } + + try { + const coreContext = await context.core; + const esClient = coreContext.elasticsearch.client.asCurrentUser; + const { id } = await esClient.openPointInTime({ + index: request.query.index_name, + keep_alive: request.query.keep_alive, + }); + + return response.ok({ body: id }); + } catch (err) { + const error = transformError(err); + cspContext.logger.error(`Failed to open Elasticsearch point in time: ${error}`); + return response.customError({ + body: { message: error.message }, + statusCode: error.statusCode, + }); + } + } + ); diff --git a/x-pack/plugins/cloud_security_posture/server/routes/index.ts b/x-pack/plugins/cloud_security_posture/server/routes/index.ts index 143c2e45d5511..dab857ab7118a 100755 --- a/x-pack/plugins/cloud_security_posture/server/routes/index.ts +++ b/x-pack/plugins/cloud_security_posture/server/routes/index.ts @@ -9,6 +9,7 @@ import { defineGetComplianceDashboardRoute } from './compliance_dashboard/compli import { defineGetBenchmarksRoute } from './benchmarks/benchmarks'; import { defineUpdateRulesConfigRoute } from './configuration/update_rules_configuration'; import { defineGetCspSetupStatusRoute } from './setup_status/setup_status'; +import { defineEsPitRoute } from './es_pit/es_pit'; import { CspAppContext } from '../plugin'; import { CspRouter } from '../types'; @@ -17,4 +18,5 @@ export function defineRoutes(router: CspRouter, cspContext: CspAppContext) { defineGetBenchmarksRoute(router, cspContext); defineUpdateRulesConfigRoute(router, cspContext); defineGetCspSetupStatusRoute(router, cspContext); + defineEsPitRoute(router, cspContext); } diff --git a/x-pack/plugins/cloud_security_posture/server/tasks/findings_stats_task.ts b/x-pack/plugins/cloud_security_posture/server/tasks/findings_stats_task.ts new file mode 100644 index 0000000000000..bbc7da0fe22ae --- /dev/null +++ b/x-pack/plugins/cloud_security_posture/server/tasks/findings_stats_task.ts @@ -0,0 +1,228 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { transformError } from '@kbn/securitysolution-es-utils'; +import { + RunContext, + TaskManagerSetupContract, + TaskManagerStartContract, +} from '@kbn/task-manager-plugin/server'; +import { SearchRequest } from '@kbn/data-plugin/common'; +import { ElasticsearchClient } from '@kbn/core/server'; +import type { Logger } from '@kbn/core/server'; +import { + AggregatedFindingsByCluster, + ScoreBucket, + FindingsStatsTaskResult, + TaskHealthStatus, +} from './types'; +import { + BENCHMARK_SCORE_INDEX_DEFAULT_NS, + LATEST_FINDINGS_INDEX_DEFAULT_NS, +} from '../../common/constants'; +import { scheduleTaskSafe, removeTaskSafe } from '../lib/task_manager_util'; +import { CspServerPluginStartServices } from '../types'; + +const CSPM_FINDINGS_STATS_TASK_ID = 'cloud_security_posture-findings_stats'; +const CSPM_FINDINGS_STATS_TASK_TYPE = 'cloud_security_posture-findings'; +const CSPM_FINDINGS_STATS_INTERVAL = '5m'; + +export async function scheduleFindingsStatsTask( + taskManager: TaskManagerStartContract, + logger: Logger +) { + await scheduleTaskSafe( + taskManager, + { + id: CSPM_FINDINGS_STATS_TASK_ID, + taskType: CSPM_FINDINGS_STATS_TASK_TYPE, + schedule: { + interval: CSPM_FINDINGS_STATS_INTERVAL, + }, + state: {}, + params: {}, + }, + logger + ); +} + +export async function removeFindingsStatsTask( + taskManager: TaskManagerStartContract, + logger: Logger +) { + await removeTaskSafe(taskManager, CSPM_FINDINGS_STATS_TASK_ID, logger); +} + +export function setupFindingsStatsTask( + taskManager: TaskManagerSetupContract, + coreStartServices: CspServerPluginStartServices, + logger: Logger +) { + try { + taskManager.registerTaskDefinitions({ + [CSPM_FINDINGS_STATS_TASK_TYPE]: { + title: 'Aggregate latest findings index for score calculation', + createTaskRunner: taskRunner(coreStartServices, logger), + }, + }); + logger.info(`Task: ${CSPM_FINDINGS_STATS_TASK_TYPE} registered successfully`); + } catch (errMsg) { + const error = transformError(errMsg); + logger.error(`Failed to register task: ${CSPM_FINDINGS_STATS_TASK_TYPE}, ${error.message}`); + } +} + +export function taskRunner(coreStartServices: CspServerPluginStartServices, logger: Logger) { + return ({ taskInstance }: RunContext) => { + const { state } = taskInstance; + return { + async run(): Promise { + try { + logger.info(`Runs task: ${CSPM_FINDINGS_STATS_TASK_TYPE}`); + const esClient = (await coreStartServices)[0].elasticsearch.client.asInternalUser; + const status = await aggregateLatestFindings(esClient, state.runs, logger); + + return { + state: { + runs: (state.runs || 0) + 1, + health_status: status, + }, + }; + } catch (errMsg) { + const error = transformError(errMsg); + logger.warn(`Error executing alerting health check task: ${error.message}`); + return { + state: { + runs: (state.runs || 0) + 1, + health_status: 'error', + }, + }; + } + }, + }; + }; +} + +const aggregateLatestFindings = async ( + esClient: ElasticsearchClient, + stateRuns: number, + logger: Logger +): Promise => { + try { + const startAggTime = performance.now(); + const evaluationsQueryResult = await esClient.search(getScoreQuery()); + + if (!evaluationsQueryResult.aggregations) { + logger.warn(`No data found in latest findings index`); + return 'warning'; + } + + const totalAggregationTime = performance.now() - startAggTime; + logger.debug( + `Task ${CSPM_FINDINGS_STATS_TASK_TYPE}, ${Number(totalAggregationTime).toFixed( + 2 + )} milliseconds for aggregation` + ); + + const clustersStats = Object.fromEntries( + evaluationsQueryResult.aggregations.score_by_cluster_id.buckets.map( + (clusterStats: AggregatedFindingsByCluster) => { + return [ + clusterStats.key, + { + total_findings: clusterStats.total_findings.value, + passed_findings: clusterStats.passed_findings.doc_count, + failed_findings: clusterStats.failed_findings.doc_count, + }, + ]; + } + ) + ); + + const startIndexTime = performance.now(); + await esClient.index({ + index: BENCHMARK_SCORE_INDEX_DEFAULT_NS, + document: { + passed_findings: evaluationsQueryResult.aggregations.passed_findings.doc_count, + failed_findings: evaluationsQueryResult.aggregations.failed_findings.doc_count, + total_findings: evaluationsQueryResult.aggregations.total_findings.value, + score_by_cluster_id: clustersStats, + }, + }); + + const totalIndexTime = Number(performance.now() - startIndexTime).toFixed(2); + logger.debug( + `Task ${CSPM_FINDINGS_STATS_TASK_TYPE}, ${totalIndexTime} milliseconds for indexing` + ); + + const totalTaskTime = Number(performance.now() - startAggTime).toFixed(2); + logger.debug( + `Task ${CSPM_FINDINGS_STATS_TASK_TYPE}, took ${totalTaskTime} milliseconds to run` + ); + + return 'ok'; + } catch (errMsg) { + const error = transformError(errMsg); + logger.error(`failed to aggregate latest findings: ${error.message}`); + return 'error'; + } +}; + +const getScoreQuery = (): SearchRequest => ({ + index: LATEST_FINDINGS_INDEX_DEFAULT_NS, + size: 0, + query: { + match_all: {}, + }, + aggs: { + total_findings: { + value_count: { + field: 'result.evaluation.keyword', + }, + }, + passed_findings: { + filter: { + term: { + 'result.evaluation.keyword': 'passed', + }, + }, + }, + failed_findings: { + filter: { + term: { + 'result.evaluation.keyword': 'failed', + }, + }, + }, + score_by_cluster_id: { + terms: { + field: 'cluster_id.keyword', + }, + aggregations: { + total_findings: { + value_count: { + field: 'result.evaluation.keyword', + }, + }, + passed_findings: { + filter: { + term: { + 'result.evaluation.keyword': 'passed', + }, + }, + }, + failed_findings: { + filter: { + term: { + 'result.evaluation.keyword': 'failed', + }, + }, + }, + }, + }, + }, +}); diff --git a/x-pack/plugins/cloud_security_posture/server/tasks/types.ts b/x-pack/plugins/cloud_security_posture/server/tasks/types.ts new file mode 100644 index 0000000000000..783d534b7d550 --- /dev/null +++ b/x-pack/plugins/cloud_security_posture/server/tasks/types.ts @@ -0,0 +1,30 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export interface AggregatedFindings { + passed_findings: { doc_count: number }; + failed_findings: { doc_count: number }; + total_findings: { value: number }; +} + +export interface AggregatedFindingsByCluster extends AggregatedFindings { + key: string; +} +export interface ScoreBucket extends AggregatedFindings { + score_by_cluster_id: { + buckets: AggregatedFindingsByCluster[]; + }; +} + +export type TaskHealthStatus = 'ok' | 'warning' | 'error'; + +export interface FindingsStatsTaskResult { + state: { + runs: number; + health_status: TaskHealthStatus; + }; +} diff --git a/x-pack/plugins/cloud_security_posture/server/types.ts b/x-pack/plugins/cloud_security_posture/server/types.ts index ccbded12bddb2..c110c930fabaf 100644 --- a/x-pack/plugins/cloud_security_posture/server/types.ts +++ b/x-pack/plugins/cloud_security_posture/server/types.ts @@ -9,8 +9,18 @@ import type { PluginSetup as DataPluginSetup, PluginStart as DataPluginStart, } from '@kbn/data-plugin/server'; +import { + TaskManagerSetupContract, + TaskManagerStartContract, +} from '@kbn/task-manager-plugin/server'; -import type { RouteMethod, KibanaResponseFactory, RequestHandler, IRouter } from '@kbn/core/server'; +import type { + RouteMethod, + KibanaResponseFactory, + RequestHandler, + IRouter, + CoreStart, +} from '@kbn/core/server'; import type { FleetStartContract, FleetRequestHandlerContext } from '@kbn/fleet-plugin/server'; @@ -22,6 +32,7 @@ export interface CspServerPluginStart {} export interface CspServerPluginSetupDeps { // required data: DataPluginSetup; + taskManager: TaskManagerSetupContract; // optional } @@ -30,8 +41,12 @@ export interface CspServerPluginStartDeps { // required data: DataPluginStart; fleet: FleetStartContract; + taskManager: TaskManagerStartContract; } +export type CspServerPluginStartServices = Promise< + [CoreStart, CspServerPluginStartDeps, CspServerPluginStart] +>; export type CspRequestHandlerContext = FleetRequestHandlerContext; /** diff --git a/x-pack/plugins/cloud_security_posture/tsconfig.json b/x-pack/plugins/cloud_security_posture/tsconfig.json index d7902b8b05977..f18d5fa56d599 100755 --- a/x-pack/plugins/cloud_security_posture/tsconfig.json +++ b/x-pack/plugins/cloud_security_posture/tsconfig.json @@ -21,5 +21,7 @@ { "path": "../../../src/plugins/data/tsconfig.json" }, { "path": "../../../src/plugins/navigation/tsconfig.json" }, { "path": "../../../x-pack/plugins/fleet/tsconfig.json" }, + { "path": "../../../x-pack/plugins/fleet/tsconfig.json" }, + { "path": "../../../x-pack/plugins/task_manager/tsconfig.json" } ] } diff --git a/x-pack/plugins/dashboard_enhanced/public/services/drilldowns/embeddable_to_dashboard_drilldown/embeddable_to_dashboard_drilldown.tsx b/x-pack/plugins/dashboard_enhanced/public/services/drilldowns/embeddable_to_dashboard_drilldown/embeddable_to_dashboard_drilldown.tsx index bf625aabe8cb8..2849ef4a580fa 100644 --- a/x-pack/plugins/dashboard_enhanced/public/services/drilldowns/embeddable_to_dashboard_drilldown/embeddable_to_dashboard_drilldown.tsx +++ b/x-pack/plugins/dashboard_enhanced/public/services/drilldowns/embeddable_to_dashboard_drilldown/embeddable_to_dashboard_drilldown.tsx @@ -14,8 +14,8 @@ import { isTimeRange, Query, TimeRange, - extractTimeRange, } from '@kbn/data-plugin/public'; +import { extractTimeRange } from '@kbn/es-query'; import { ApplyGlobalFilterActionContext } from '@kbn/unified-search-plugin/public'; import { IEmbeddable, EmbeddableInput } from '@kbn/embeddable-plugin/public'; import { EnhancedEmbeddableContext } from '@kbn/embeddable-enhanced-plugin/public'; diff --git a/x-pack/plugins/discover_enhanced/public/actions/explore_data/explore_data_chart_action.ts b/x-pack/plugins/discover_enhanced/public/actions/explore_data/explore_data_chart_action.ts index a213563a04a46..f3f8512b85256 100644 --- a/x-pack/plugins/discover_enhanced/public/actions/explore_data/explore_data_chart_action.ts +++ b/x-pack/plugins/discover_enhanced/public/actions/explore_data/explore_data_chart_action.ts @@ -8,7 +8,6 @@ import { Action } from '@kbn/ui-actions-plugin/public'; import { DiscoverAppLocatorParams, SearchInput } from '@kbn/discover-plugin/public'; import { ApplyGlobalFilterActionContext } from '@kbn/unified-search-plugin/public'; -import { extractTimeRange } from '@kbn/data-plugin/public'; import { IEmbeddable } from '@kbn/embeddable-plugin/public'; import { KibanaLocation } from '@kbn/share-plugin/public'; import * as shared from './shared'; @@ -50,6 +49,7 @@ export class ExploreDataChartAction } const { embeddable } = context; + const { extractTimeRange } = await import('@kbn/es-query'); const { restOfFilters: filters, timeRange } = extractTimeRange( context.filters, context.timeFieldName diff --git a/x-pack/plugins/enterprise_search/public/applications/workplace_search/views/content_sources/components/source_added.tsx b/x-pack/plugins/enterprise_search/public/applications/workplace_search/views/content_sources/components/source_added.tsx index c4f97eb718452..ad068c29cb0e3 100644 --- a/x-pack/plugins/enterprise_search/public/applications/workplace_search/views/content_sources/components/source_added.tsx +++ b/x-pack/plugins/enterprise_search/public/applications/workplace_search/views/content_sources/components/source_added.tsx @@ -30,7 +30,11 @@ export const SourceAdded: React.FC = () => { const state = JSON.parse(params.state); const isOrganization = state.context !== 'account'; const { setChromeIsVisible } = useValues(KibanaLogic); - const { saveSourceParams } = useActions(AddSourceLogic); + const addSourceLogic = AddSourceLogic({ + serviceType: state.service_type, + initialStep: 'configure', + }); + const { saveSourceParams } = useActions(addSourceLogic); // We don't want the personal dashboard to flash the Kibana chrome, so we hide it. setChromeIsVisible(isOrganization); diff --git a/x-pack/plugins/fleet/README.md b/x-pack/plugins/fleet/README.md index 0ec54b322baae..20433cf72b5c1 100644 --- a/x-pack/plugins/fleet/README.md +++ b/x-pack/plugins/fleet/README.md @@ -109,9 +109,9 @@ Once the Fleet Server container is running, you should be able to treat it as if 2. Click "Add Agent" 3. Scroll down to the bottom of the flyout that opens to view the enrollment command, copy the contents of the `--enrollment-token` option 4. Run this docker command: - ``` - docker run -e FLEET_ENROLL=true -e FLEET_INSECURE=true -e FLEET_URL=https://192.168.65.2:8220 -e FLEET_ENROLLMENT_TOKEN= --rm docker.elastic.co/beats/elastic-agent:{VERSION} - ``` + ``` + docker run -e FLEET_ENROLL=true -e FLEET_INSECURE=true -e FLEET_URL=https://192.168.65.2:8220 -e FLEET_ENROLLMENT_TOKEN= --rm docker.elastic.co/beats/elastic-agent:{VERSION} + ``` ### Tests @@ -175,3 +175,14 @@ The set of bundled packages included with Kibana is dictated by a top-level `fle Until further automation is added, this `fleet_packages.json` file should be updated as part of the release process to ensure the latest compatible version of each bundled package is included with that Kibana version. **This must be done before the final BC for a release is built.** Tracking issues should be opened and tracked by the Fleet UI team. See https://github.com/elastic/kibana/issues/129309 as an example. + +As part of the bundled package update process, we'll likely also need to update the pinned Docker image that runs in Kibana's test environment. We configure this pinned registry image in + +- `x-pack/test/fleet_api_integration/config.ts` +- `x-pack/plugins/fleet/server/integration_tests/helpers/docker_registry_helper.ts` +- `x-pack/test/functional/config.base.js` +- `x-pack/test/functional_synthetics/config.js` + +To update this registry image, pull the digest SHA from the package storage Jenkins pipeline at https://beats-ci.elastic.co/blue/organizations/jenkins/Ingest-manager%2Fpackage-storage/activity and update the files above. The digest value should appear in the "publish Docker image" step as part of the `docker push` command in the logs. + +![image](https://user-images.githubusercontent.com/6766512/171409455-64f9ab1d-08fe-4872-9b74-58359ed938dd.png) diff --git a/x-pack/plugins/fleet/common/services/get_max_version.test.ts b/x-pack/plugins/fleet/common/services/get_max_version.test.ts deleted file mode 100644 index 6b21c81c0a5fe..0000000000000 --- a/x-pack/plugins/fleet/common/services/get_max_version.test.ts +++ /dev/null @@ -1,40 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { getMaxVersion } from './get_max_version'; - -describe('Fleet - getMaxVersion', () => { - it('returns the maximum version', () => { - const versions = ['8.1.0', '8.3.0', '8.2.1', '7.16.0', '8.2.0', '7.16.1', '8.3.1']; - expect(getMaxVersion(versions)).toEqual('8.3.1'); - }); - - it('returns the maximum version when there are duplicates', () => { - const versions = ['8.1.0', '8.3.0', '8.2.1', '7.16.0', '8.2.0', '7.16.1', '8.2.0', '7.15.1']; - expect(getMaxVersion(versions)).toEqual('8.3.0'); - }); - - it('returns the maximum version when there is a snapshot version', () => { - const versions = ['8.1.0', '8.2.0-SNAPSHOT', '7.16.0', '7.16.1']; - expect(getMaxVersion(versions)).toEqual('8.2.0-SNAPSHOT'); - }); - - it('returns the maximum version and prefers the major version to the snapshot', () => { - const versions = ['8.1.0', '8.2.0-SNAPSHOT', '8.2.0', '7.16.0', '7.16.1']; - expect(getMaxVersion(versions)).toEqual('8.2.0'); - }); - - it('when there is only a version returns it', () => { - const versions = ['8.1.0']; - expect(getMaxVersion(versions)).toEqual('8.1.0'); - }); - - it('returns an empty string when the passed array is empty', () => { - const versions: string[] = []; - expect(getMaxVersion(versions)).toEqual(''); - }); -}); diff --git a/x-pack/plugins/fleet/common/services/get_max_version.ts b/x-pack/plugins/fleet/common/services/get_max_version.ts deleted file mode 100644 index e34dec675999d..0000000000000 --- a/x-pack/plugins/fleet/common/services/get_max_version.ts +++ /dev/null @@ -1,23 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ -import { uniq } from 'lodash'; -import semverGt from 'semver/functions/gt'; -import semverCoerce from 'semver/functions/coerce'; - -// Find max version from an array of string versions -export function getMaxVersion(versions: string[]) { - const uniqVersions: string[] = uniq(versions); - - if (uniqVersions.length === 1) { - const semverVersion = semverCoerce(uniqVersions[0])?.version; - return semverVersion ? semverVersion : ''; - } else if (uniqVersions.length > 1) { - const sorted = uniqVersions.sort((a, b) => (semverGt(a, b) ? 1 : -1)); - return sorted[sorted.length - 1]; - } - return ''; -} diff --git a/x-pack/plugins/fleet/common/services/get_min_max_version.test.ts b/x-pack/plugins/fleet/common/services/get_min_max_version.test.ts new file mode 100644 index 0000000000000..87a7e7dbfa41e --- /dev/null +++ b/x-pack/plugins/fleet/common/services/get_min_max_version.test.ts @@ -0,0 +1,112 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { getMaxVersion, getMinVersion, sortVersions } from './get_min_max_version'; + +describe('Fleet - sortVersions', () => { + it('returns the array ordered in ascending order', () => { + const versions = ['8.1.0', '8.3.0', '8.2.1', '7.16.0', '8.2.0', '7.16.1', '8.3.1']; + expect(sortVersions(versions)).toEqual([ + '7.16.0', + '7.16.1', + '8.1.0', + '8.2.0', + '8.2.1', + '8.3.0', + '8.3.1', + ]); + }); + it('returns the array ordered in ascending order and removes duplicates', () => { + const versions = ['8.1.0', '8.3.0', '8.2.0', '7.16.0', '8.2.0', '7.16.0', '8.3.1']; + expect(sortVersions(versions)).toEqual(['7.16.0', '8.1.0', '8.2.0', '8.3.0', '8.3.1']); + }); + it('returns the array ordered in ascending order when there are snapshot versions', () => { + const versions = ['8.1.0', '8.2.0-SNAPSHOT', '8.2.0', '7.16.0', '7.16.1']; + expect(sortVersions(versions)).toEqual([ + '7.16.0', + '7.16.1', + '8.1.0', + '8.2.0-SNAPSHOT', + '8.2.0', + ]); + }); +}); + +describe('Fleet - getMaxVersion', () => { + it('returns the maximum version', () => { + const versions = ['8.1.0', '8.3.0', '8.2.1', '7.16.0', '8.2.0', '7.16.1', '8.3.1']; + expect(getMaxVersion(versions)).toEqual('8.3.1'); + }); + + it('returns the maximum version if the array has a single element', () => { + const versions = ['8.1.0']; + expect(getMaxVersion(versions)).toEqual('8.1.0'); + }); + + it('returns the maximum version when there are duplicates', () => { + const versions = ['8.1.0', '8.3.0', '8.2.1', '7.16.0', '8.2.0', '7.16.1', '8.2.0', '7.15.1']; + expect(getMaxVersion(versions)).toEqual('8.3.0'); + }); + + it('returns the maximum version and prefers the major version to the snapshot', () => { + const versions = ['8.1.0', '8.2.0-SNAPSHOT', '8.2.0', '7.16.0', '7.16.1']; + expect(getMaxVersion(versions)).toEqual('8.2.0'); + }); + + it('when there is only a version returns it', () => { + const versions = ['8.1.0']; + expect(getMaxVersion(versions)).toEqual('8.1.0'); + }); + + it('returns an empty string when the passed array is empty', () => { + const versions: string[] = []; + expect(getMaxVersion(versions)).toEqual(''); + }); + + it('returns empty string if the passed array is empty', () => { + expect(getMaxVersion([])).toEqual(''); + }); + + it('returns empty string if the array contains invalid strings', () => { + expect(getMaxVersion(['bla', 'not-a-version'])).toEqual(''); + }); +}); + +describe('Fleet - getMinVersion', () => { + it('returns the minimum version', () => { + const versions = ['8.1.0', '8.3.0', '8.2.1', '8.0.0', '8.2.0', '8.2.1']; + expect(getMinVersion(versions)).toEqual('8.0.0'); + }); + + it('returns the minimum version if the array has a single element', () => { + const versions = ['8.1.0']; + expect(getMaxVersion(versions)).toEqual('8.1.0'); + }); + + it('returns the minimum version when there are duplicates', () => { + const versions = ['8.1.0', '8.3.0', '8.2.1', '7.16.0', '8.2.0', '7.16.1', '8.2.0', '7.15.1']; + expect(getMinVersion(versions)).toEqual('7.15.1'); + }); + + it('when there is only a version returns it', () => { + const versions = ['8.1.0']; + expect(getMinVersion(versions)).toEqual('8.1.0'); + }); + + it('returns an empty string when the passed array is empty', () => { + const versions: string[] = []; + expect(getMinVersion(versions)).toEqual(''); + }); + + it('returns empty string if the passed array is empty', () => { + expect(getMaxVersion([])).toEqual(''); + }); + + it('returns empty string if the array contains invalid strings', () => { + expect(getMaxVersion(['bla', 'not-a-version'])).toEqual(''); + }); +}); diff --git a/x-pack/plugins/fleet/common/services/get_min_max_version.ts b/x-pack/plugins/fleet/common/services/get_min_max_version.ts new file mode 100644 index 0000000000000..499291be37a84 --- /dev/null +++ b/x-pack/plugins/fleet/common/services/get_min_max_version.ts @@ -0,0 +1,38 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { uniq } from 'lodash'; +import semverGt from 'semver/functions/gt'; +import semverCoerce from 'semver/functions/coerce'; + +// Sort array in ascending order +export function sortVersions(versions: string[]) { + // remove duplicates and filter out invalid versions + const uniqVersions = uniq(versions).filter((v) => semverCoerce(v)?.version !== undefined); + + if (uniqVersions.length > 1) { + return uniqVersions.sort((a, b) => (semverGt(a, b) ? 1 : -1)); + } + return uniqVersions; +} + +// Find max version from an array of string versions +export function getMaxVersion(versions: string[]) { + const sorted = sortVersions(versions); + if (sorted.length >= 1) { + return sorted[sorted.length - 1]; + } + return ''; +} + +// Find min version from an array of string versions +export function getMinVersion(versions: string[]) { + const sorted = sortVersions(versions); + if (sorted.length >= 1) { + return sorted[0]; + } + return ''; +} diff --git a/x-pack/plugins/fleet/common/services/index.ts b/x-pack/plugins/fleet/common/services/index.ts index 98f047ae23462..d8a7ed080ac63 100644 --- a/x-pack/plugins/fleet/common/services/index.ts +++ b/x-pack/plugins/fleet/common/services/index.ts @@ -35,3 +35,4 @@ export { export { normalizeHostsForAgents } from './hosts_utils'; export { splitPkgKey } from './split_pkg_key'; export { getMaxPackageName } from './max_package_name'; +export { getMinVersion, getMaxVersion } from './get_min_max_version'; diff --git a/x-pack/plugins/fleet/common/services/is_agent_upgradeable.test.ts b/x-pack/plugins/fleet/common/services/is_agent_upgradeable.test.ts index 1346628758a49..22ec58764bbd7 100644 --- a/x-pack/plugins/fleet/common/services/is_agent_upgradeable.test.ts +++ b/x-pack/plugins/fleet/common/services/is_agent_upgradeable.test.ts @@ -168,4 +168,22 @@ describe('Fleet - isAgentUpgradeable', () => { isAgentUpgradeable(getAgent({ version: '7.9.0', upgradeable: true }), '8.0.0-SNAPSHOT') ).toBe(true); }); + it('returns false if agent reports upgradeable, with target version < current agent version ', () => { + expect( + isAgentUpgradeable( + getAgent({ version: '7.9.0', upgradeable: true }), + '8.0.0-SNAPSHOT', + '7.8.0' + ) + ).toBe(false); + }); + it('returns false if agent reports upgradeable, with target version == current agent version ', () => { + expect( + isAgentUpgradeable( + getAgent({ version: '7.9.0', upgradeable: true }), + '8.0.0-SNAPSHOT', + '7.9.0' + ) + ).toBe(false); + }); }); diff --git a/x-pack/plugins/fleet/common/services/is_agent_upgradeable.ts b/x-pack/plugins/fleet/common/services/is_agent_upgradeable.ts index 8be0e92bee1ee..85894ad1025fb 100644 --- a/x-pack/plugins/fleet/common/services/is_agent_upgradeable.ts +++ b/x-pack/plugins/fleet/common/services/is_agent_upgradeable.ts @@ -7,10 +7,11 @@ import semverCoerce from 'semver/functions/coerce'; import semverLt from 'semver/functions/lt'; +import semverGt from 'semver/functions/gt'; import type { Agent } from '../types'; -export function isAgentUpgradeable(agent: Agent, kibanaVersion: string) { +export function isAgentUpgradeable(agent: Agent, kibanaVersion: string, versionToUpgrade?: string) { let agentVersion: string; if (typeof agent?.local_metadata?.elastic?.agent?.version === 'string') { agentVersion = agent.local_metadata.elastic.agent.version; @@ -23,7 +24,12 @@ export function isAgentUpgradeable(agent: Agent, kibanaVersion: string) { if (!agent.local_metadata.elastic.agent.upgradeable) { return false; } - + if (versionToUpgrade !== undefined) { + return ( + isNotDowngrade(agentVersion, versionToUpgrade) && + isAgentVersionLessThanKibana(agentVersion, kibanaVersion) + ); + } return isAgentVersionLessThanKibana(agentVersion, kibanaVersion); } @@ -36,3 +42,12 @@ export const isAgentVersionLessThanKibana = (agentVersion: string, kibanaVersion return semverLt(agentVersionNumber, kibanaVersionNumber); }; + +export const isNotDowngrade = (agentVersion: string, versionToUpgrade: string) => { + const agentVersionNumber = semverCoerce(agentVersion); + if (!agentVersionNumber) throw new Error('agent version is not valid'); + const versionToUpgradeNumber = semverCoerce(versionToUpgrade); + if (!versionToUpgradeNumber) throw new Error('target version is not valid'); + + return semverGt(versionToUpgradeNumber, agentVersionNumber); +}; diff --git a/x-pack/plugins/fleet/common/types/models/epm.ts b/x-pack/plugins/fleet/common/types/models/epm.ts index cb5d8f3bb009b..9da1075e52dff 100644 --- a/x-pack/plugins/fleet/common/types/models/epm.ts +++ b/x-pack/plugins/fleet/common/types/models/epm.ts @@ -397,6 +397,7 @@ export interface IntegrationCardItem { integration: string; id: string; categories: string[]; + fromIntegrations?: string; } export type PackagesGroupedByStatus = Record, PackageList>; diff --git a/x-pack/plugins/fleet/common/types/rest_spec/agent.ts b/x-pack/plugins/fleet/common/types/rest_spec/agent.ts index 77416f5e1db5d..bf05ca0a2dbd4 100644 --- a/x-pack/plugins/fleet/common/types/rest_spec/agent.ts +++ b/x-pack/plugins/fleet/common/types/rest_spec/agent.ts @@ -5,6 +5,8 @@ * 2.0. */ +import type { SearchHit } from '@kbn/core/types/elasticsearch'; + import type { Agent, AgentAction, CurrentUpgrade, NewAgentAction } from '../models'; import type { ListResult, ListWithKuery } from './common'; @@ -167,6 +169,7 @@ export interface GetAgentStatusResponse { export interface GetAgentIncomingDataRequest { query: { agentsIds: string[]; + previewData?: boolean; }; } @@ -175,6 +178,7 @@ export interface IncomingDataList { } export interface GetAgentIncomingDataResponse { items: IncomingDataList[]; + dataPreview: SearchHit[]; } export interface GetCurrentUpgradesResponse { diff --git a/x-pack/plugins/fleet/cypress/screens/integrations.ts b/x-pack/plugins/fleet/cypress/screens/integrations.ts index dddede9e77f8d..ed645d08d9b5f 100644 --- a/x-pack/plugins/fleet/cypress/screens/integrations.ts +++ b/x-pack/plugins/fleet/cypress/screens/integrations.ts @@ -7,7 +7,7 @@ export const ADD_POLICY_BTN = 'addIntegrationPolicyButton'; export const CREATE_PACKAGE_POLICY_SAVE_BTN = 'createPackagePolicySaveButton'; -export const INTEGRATIONS_CARD = '.euiCard__titleAnchor'; +export const INTEGRATIONS_CARD = '.euiCard__titleButton'; export const INTEGRATION_NAME_LINK = 'integrationNameLink'; export const AGENT_POLICY_NAME_LINK = 'agentPolicyNameLink'; diff --git a/x-pack/plugins/fleet/kibana.json b/x-pack/plugins/fleet/kibana.json index 0a45b03803fc3..4bfc6e95f0157 100644 --- a/x-pack/plugins/fleet/kibana.json +++ b/x-pack/plugins/fleet/kibana.json @@ -9,7 +9,7 @@ "ui": true, "configPath": ["xpack", "fleet"], "requiredPlugins": ["licensing", "data", "encryptedSavedObjects", "navigation", "customIntegrations", "share", "spaces", "security", "unifiedSearch"], - "optionalPlugins": ["features", "cloud", "usageCollection", "home", "globalSearch", "telemetry"], + "optionalPlugins": ["features", "cloud", "usageCollection", "home", "globalSearch", "telemetry", "discover"], "extraPublicDirs": ["common"], "requiredBundles": ["kibanaReact", "cloud", "esUiShared", "infra", "kibanaUtils", "usageCollection", "unifiedSearch"] } diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/index.ts b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/index.ts index 34613413ce39f..08099f4078a08 100644 --- a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/index.ts +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/index.ts @@ -6,3 +6,4 @@ */ export { IntegrationBreadcrumb } from './integration_breadcrumb'; +export * from './steps'; diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/components/index.ts b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/components/index.ts new file mode 100644 index 0000000000000..a12c67b7d51ad --- /dev/null +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/components/index.ts @@ -0,0 +1,9 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export { PackagePolicyInputPanel } from './package_policy_input_panel'; +export { PackagePolicyInputVarField } from './package_policy_input_var_field'; diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/components/multi_text_input.test.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/components/multi_text_input.test.tsx similarity index 99% rename from x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/components/multi_text_input.test.tsx rename to x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/components/multi_text_input.test.tsx index 8b0fdc8540e9a..0321f9f831055 100644 --- a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/components/multi_text_input.test.tsx +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/components/multi_text_input.test.tsx @@ -8,7 +8,7 @@ import React from 'react'; import { fireEvent, act } from '@testing-library/react'; -import { createFleetTestRendererMock } from '../../../../../../../mock'; +import { createFleetTestRendererMock } from '../../../../../../../../mock'; import { MultiTextInput } from './multi_text_input'; diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/components/multi_text_input.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/components/multi_text_input.tsx similarity index 100% rename from x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/components/multi_text_input.tsx rename to x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/components/multi_text_input.tsx diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/components/package_policy_input_config.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/components/package_policy_input_config.tsx similarity index 97% rename from x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/components/package_policy_input_config.tsx rename to x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/components/package_policy_input_config.tsx index b270140a24c94..73787b3a5afe9 100644 --- a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/components/package_policy_input_config.tsx +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/components/package_policy_input_config.tsx @@ -17,9 +17,9 @@ import { EuiButtonEmpty, } from '@elastic/eui'; -import type { NewPackagePolicyInput, RegistryVarsEntry } from '../../../../../types'; -import type { PackagePolicyConfigValidationResults } from '../services'; -import { isAdvancedVar, validationHasErrors } from '../services'; +import type { NewPackagePolicyInput, RegistryVarsEntry } from '../../../../../../types'; +import type { PackagePolicyConfigValidationResults } from '../../../services'; +import { isAdvancedVar, validationHasErrors } from '../../../services'; import { PackagePolicyInputVarField } from './package_policy_input_var_field'; diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/components/package_policy_input_panel.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/components/package_policy_input_panel.tsx similarity index 94% rename from x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/components/package_policy_input_panel.tsx rename to x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/components/package_policy_input_panel.tsx index 4c29d33376e5d..47056b1c2dabf 100644 --- a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/components/package_policy_input_panel.tsx +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/components/package_policy_input_panel.tsx @@ -14,9 +14,9 @@ import { EuiFlexItem, EuiSwitch, EuiText, - EuiButtonIcon, EuiHorizontalRule, EuiSpacer, + EuiButtonEmpty, } from '@elastic/eui'; import type { @@ -24,9 +24,9 @@ import type { PackagePolicyInputStream, RegistryInput, RegistryStream, -} from '../../../../../types'; -import type { PackagePolicyInputValidationResults } from '../services'; -import { hasInvalidButRequiredVar, countValidationErrors } from '../services'; +} from '../../../../../../types'; +import type { PackagePolicyInputValidationResults } from '../../../services'; +import { hasInvalidButRequiredVar, countValidationErrors } from '../../../services'; import { PackagePolicyInputConfig } from './package_policy_input_config'; import { PackagePolicyInputStreamConfig } from './package_policy_input_stream'; @@ -151,10 +151,11 @@ export const PackagePolicyInputPanel: React.FunctionComponent<{ ) : null} - setIsShowingStreams(!isShowingStreams)} - color={hasErrors ? 'danger' : 'text'} + iconType={isShowingStreams ? 'arrowUp' : 'arrowDown'} + iconSide="right" aria-label={ isShowingStreams ? i18n.translate( @@ -176,7 +177,14 @@ export const PackagePolicyInputPanel: React.FunctionComponent<{ } ) } - /> + > + { + + } + diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/components/package_policy_input_stream.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/components/package_policy_input_stream.tsx similarity index 97% rename from x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/components/package_policy_input_stream.tsx rename to x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/components/package_policy_input_stream.tsx index bfc88a6f040ca..e644e4ce9b65d 100644 --- a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/components/package_policy_input_stream.tsx +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/components/package_policy_input_stream.tsx @@ -23,9 +23,9 @@ import type { NewPackagePolicyInputStream, RegistryStream, RegistryVarsEntry, -} from '../../../../../types'; -import type { PackagePolicyConfigValidationResults } from '../services'; -import { isAdvancedVar, validationHasErrors } from '../services'; +} from '../../../../../../types'; +import type { PackagePolicyConfigValidationResults } from '../../../services'; +import { isAdvancedVar, validationHasErrors } from '../../../services'; import { PackagePolicyInputVarField } from './package_policy_input_var_field'; diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/components/package_policy_input_var_field.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/components/package_policy_input_var_field.tsx similarity index 98% rename from x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/components/package_policy_input_var_field.tsx rename to x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/components/package_policy_input_var_field.tsx index dabdf42d6fd99..563dec04449b3 100644 --- a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/components/package_policy_input_var_field.tsx +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/components/package_policy_input_var_field.tsx @@ -21,7 +21,7 @@ import styled from 'styled-components'; import { CodeEditor } from '@kbn/kibana-react-plugin/public'; -import type { RegistryVarsEntry } from '../../../../../types'; +import type { RegistryVarsEntry } from '../../../../../../types'; import { MultiTextInput } from './multi_text_input'; diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/index.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/index.tsx new file mode 100644 index 0000000000000..e1717dcc9044a --- /dev/null +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/index.tsx @@ -0,0 +1,11 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export * from './step_configure_package'; +export * from './step_define_package_policy'; +export * from './step_select_agent_policy'; +export * from './step_select_hosts'; diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/step_configure_package.test.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/step_configure_package.test.tsx similarity index 96% rename from x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/step_configure_package.test.tsx rename to x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/step_configure_package.test.tsx index bf215db880804..9a6dcf3286412 100644 --- a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/step_configure_package.test.tsx +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/step_configure_package.test.tsx @@ -8,9 +8,9 @@ import React from 'react'; import { act, fireEvent, waitFor } from '@testing-library/react'; -import type { TestRenderer } from '../../../../../../mock'; -import { createFleetTestRendererMock } from '../../../../../../mock'; -import type { NewPackagePolicy, PackageInfo } from '../../../../types'; +import type { TestRenderer } from '../../../../../../../mock'; +import { createFleetTestRendererMock } from '../../../../../../../mock'; +import type { NewPackagePolicy, PackageInfo } from '../../../../../types'; import { StepConfigurePackagePolicy } from './step_configure_package'; diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/step_configure_package.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/step_configure_package.tsx similarity index 93% rename from x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/step_configure_package.tsx rename to x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/step_configure_package.tsx index eef9a2702f821..db70c4b480b02 100644 --- a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/step_configure_package.tsx +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/step_configure_package.tsx @@ -15,11 +15,12 @@ import { } from '@elastic/eui'; import { FormattedMessage } from '@kbn/i18n-react'; -import type { PackageInfo, NewPackagePolicy, NewPackagePolicyInput } from '../../../../types'; -import { Loading } from '../../../../components'; -import { getStreamsForInputType, doesPackageHaveIntegrations } from '../../../../services'; +import type { PackageInfo, NewPackagePolicy, NewPackagePolicyInput } from '../../../../../types'; +import { Loading } from '../../../../../components'; +import { getStreamsForInputType, doesPackageHaveIntegrations } from '../../../../../services'; + +import type { PackagePolicyValidationResults } from '../../services'; -import type { PackagePolicyValidationResults } from './services'; import { PackagePolicyInputPanel } from './components'; export const StepConfigurePackagePolicy: React.FunctionComponent<{ @@ -29,6 +30,7 @@ export const StepConfigurePackagePolicy: React.FunctionComponent<{ updatePackagePolicy: (fields: Partial) => void; validationResults: PackagePolicyValidationResults; submitAttempted: boolean; + noTopRule?: boolean; }> = ({ packageInfo, showOnlyIntegration, @@ -36,6 +38,7 @@ export const StepConfigurePackagePolicy: React.FunctionComponent<{ updatePackagePolicy, validationResults, submitAttempted, + noTopRule = false, }) => { const hasIntegrations = useMemo(() => doesPackageHaveIntegrations(packageInfo), [packageInfo]); const packagePolicyTemplates = useMemo( @@ -47,12 +50,11 @@ export const StepConfigurePackagePolicy: React.FunctionComponent<{ : packageInfo.policy_templates || [], [packageInfo.policy_templates, showOnlyIntegration] ); - // Configure inputs (and their streams) const renderConfigureInputs = () => packagePolicyTemplates.length ? ( <> - + {!noTopRule && } {packagePolicyTemplates.map((policyTemplate) => { return (policyTemplate.inputs || []).map((packageInput) => { diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/step_define_package_policy.test.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/step_define_package_policy.test.tsx similarity index 95% rename from x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/step_define_package_policy.test.tsx rename to x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/step_define_package_policy.test.tsx index f3c8770b91e0a..7dd7d23b38745 100644 --- a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/step_define_package_policy.test.tsx +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/step_define_package_policy.test.tsx @@ -8,17 +8,17 @@ import React from 'react'; import { act, fireEvent, waitFor } from '@testing-library/react'; -import type { TestRenderer } from '../../../../../../mock'; -import { createFleetTestRendererMock } from '../../../../../../mock'; -import type { AgentPolicy, NewPackagePolicy, PackageInfo } from '../../../../types'; +import type { TestRenderer } from '../../../../../../../mock'; +import { createFleetTestRendererMock } from '../../../../../../../mock'; +import type { AgentPolicy, NewPackagePolicy, PackageInfo } from '../../../../../types'; -import { useGetPackagePolicies } from '../../../../hooks'; +import { useGetPackagePolicies } from '../../../../../hooks'; import { StepDefinePackagePolicy } from './step_define_package_policy'; -jest.mock('../../../../hooks', () => { +jest.mock('../../../../../hooks', () => { return { - ...jest.requireActual('../../../../hooks'), + ...jest.requireActual('../../../../../hooks'), useGetPackagePolicies: jest.fn().mockReturnValue({ data: { items: [{ name: 'nginx-1' }, { name: 'other-policy' }], diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/step_define_package_policy.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/step_define_package_policy.tsx similarity index 89% rename from x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/step_define_package_policy.tsx rename to x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/step_define_package_policy.tsx index 458c363adf829..634c173a01111 100644 --- a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/step_define_package_policy.tsx +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/step_define_package_policy.tsx @@ -27,15 +27,16 @@ import type { PackageInfo, NewPackagePolicy, RegistryVarsEntry, -} from '../../../../types'; -import { packageToPackagePolicy, pkgKeyFromPackageInfo } from '../../../../services'; -import { Loading } from '../../../../components'; -import { useStartServices, useGetPackagePolicies } from '../../../../hooks'; -import { PACKAGE_POLICY_SAVED_OBJECT_TYPE } from '../../../../../../constants'; -import { SO_SEARCH_LIMIT, getMaxPackageName } from '../../../../../../../common'; +} from '../../../../../types'; +import { packageToPackagePolicy, pkgKeyFromPackageInfo } from '../../../../../services'; +import { Loading } from '../../../../../components'; +import { useStartServices, useGetPackagePolicies } from '../../../../../hooks'; +import { PACKAGE_POLICY_SAVED_OBJECT_TYPE } from '../../../../../../../constants'; +import { SO_SEARCH_LIMIT, getMaxPackageName } from '../../../../../../../../common'; + +import { isAdvancedVar } from '../../services'; +import type { PackagePolicyValidationResults } from '../../services'; -import { isAdvancedVar } from './services'; -import type { PackagePolicyValidationResults } from './services'; import { PackagePolicyInputVarField } from './components'; // on smaller screens, fields should be displayed in one column @@ -56,6 +57,7 @@ export const StepDefinePackagePolicy: React.FunctionComponent<{ validationResults: PackagePolicyValidationResults; submitAttempted: boolean; isUpdate?: boolean; + noAdvancedToggle?: boolean; }> = memo( ({ agentPolicy, @@ -66,6 +68,7 @@ export const StepDefinePackagePolicy: React.FunctionComponent<{ updatePackagePolicy, validationResults, submitAttempted, + noAdvancedToggle = false, }) => { const { docLinks } = useStartServices(); @@ -77,7 +80,7 @@ export const StepDefinePackagePolicy: React.FunctionComponent<{ }); // Form show/hide states - const [isShowingAdvanced, setIsShowingAdvanced] = useState(false); + const [isShowingAdvanced, setIsShowingAdvanced] = useState(noAdvancedToggle); // Package-level vars const requiredVars: RegistryVarsEntry[] = []; @@ -260,34 +263,36 @@ export const StepDefinePackagePolicy: React.FunctionComponent<{ })} {/* Advanced options toggle */} - - - - setIsShowingAdvanced(!isShowingAdvanced)} - flush="left" - > - - - - {!isShowingAdvanced && !!validationResults.namespace ? ( + {!noAdvancedToggle && ( + + - + setIsShowingAdvanced(!isShowingAdvanced)} + flush="left" + > - + - ) : null} - - + {!isShowingAdvanced && !!validationResults.namespace ? ( + + + + + + ) : null} + + + )} {/* Advanced options content */} {/* Todo: Populate list of existing namespaces */} diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/step_select_agent_policy.test.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/step_select_agent_policy.test.tsx similarity index 90% rename from x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/step_select_agent_policy.test.tsx rename to x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/step_select_agent_policy.test.tsx index 46ead3ec1d55d..1b267f7eee695 100644 --- a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/step_select_agent_policy.test.tsx +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/step_select_agent_policy.test.tsx @@ -8,16 +8,16 @@ import React from 'react'; import { act } from '@testing-library/react'; -import type { TestRenderer } from '../../../../../../mock'; -import { createFleetTestRendererMock } from '../../../../../../mock'; +import type { TestRenderer } from '../../../../../../../mock'; +import { createFleetTestRendererMock } from '../../../../../../../mock'; -import { useGetAgentPolicies } from '../../../../hooks'; +import { useGetAgentPolicies } from '../../../../../hooks'; import { StepSelectAgentPolicy } from './step_select_agent_policy'; -jest.mock('../../../../hooks', () => { +jest.mock('../../../../../hooks', () => { return { - ...jest.requireActual('../../../../hooks'), + ...jest.requireActual('../../../../../hooks'), useGetAgentPolicies: jest.fn(), useGetOutputs: jest.fn().mockResolvedValue({ data: [], diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/step_select_agent_policy.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/step_select_agent_policy.tsx similarity index 98% rename from x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/step_select_agent_policy.tsx rename to x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/step_select_agent_policy.tsx index 227f9b670665e..81a3de0d2d930 100644 --- a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/step_select_agent_policy.tsx +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/step_select_agent_policy.tsx @@ -21,21 +21,21 @@ import { EuiSpacer, } from '@elastic/eui'; -import { Error } from '../../../../components'; +import { Error } from '../../../../../components'; import type { AgentPolicy, Output, PackageInfo, GetAgentPoliciesResponseItem, -} from '../../../../types'; -import { isPackageLimited, doesAgentPolicyAlreadyIncludePackage } from '../../../../services'; +} from '../../../../../types'; +import { isPackageLimited, doesAgentPolicyAlreadyIncludePackage } from '../../../../../services'; import { useGetAgentPolicies, useGetOutputs, sendGetOneAgentPolicy, useFleetStatus, -} from '../../../../hooks'; -import { FLEET_APM_PACKAGE, SO_SEARCH_LIMIT, outputType } from '../../../../../../../common'; +} from '../../../../../hooks'; +import { FLEET_APM_PACKAGE, SO_SEARCH_LIMIT, outputType } from '../../../../../../../../common'; const AgentPolicyFormRow = styled(EuiFormRow)` .euiFormRow__label { diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/step_select_hosts.test.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/step_select_hosts.test.tsx similarity index 92% rename from x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/step_select_hosts.test.tsx rename to x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/step_select_hosts.test.tsx index da3938cc55ba2..5253fc4e9b282 100644 --- a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/step_select_hosts.test.tsx +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/step_select_hosts.test.tsx @@ -8,17 +8,17 @@ import React from 'react'; import { act, fireEvent, waitFor } from '@testing-library/react'; -import type { TestRenderer } from '../../../../../../mock'; -import { createFleetTestRendererMock } from '../../../../../../mock'; +import type { TestRenderer } from '../../../../../../../mock'; +import { createFleetTestRendererMock } from '../../../../../../../mock'; -import { useGetAgentPolicies } from '../../../../hooks'; -import type { AgentPolicy, PackageInfo } from '../../../../types'; +import { useGetAgentPolicies } from '../../../../../hooks'; +import type { AgentPolicy, PackageInfo } from '../../../../../types'; import { StepSelectHosts } from './step_select_hosts'; -jest.mock('../../../../hooks', () => { +jest.mock('../../../../../hooks', () => { return { - ...jest.requireActual('../../../../hooks'), + ...jest.requireActual('../../../../../hooks'), useGetAgentPolicies: jest.fn(), useGetOutputs: jest.fn().mockResolvedValue({ data: [], diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/step_select_hosts.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/step_select_hosts.tsx similarity index 91% rename from x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/step_select_hosts.tsx rename to x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/step_select_hosts.tsx index 96d12bd29695c..93aa2b37bfe3a 100644 --- a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/step_select_hosts.tsx +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/step_select_hosts.tsx @@ -10,12 +10,13 @@ import type { EuiTabbedContentTab } from '@elastic/eui'; import { EuiTabbedContent } from '@elastic/eui'; import styled from 'styled-components'; -import { useGetAgentPolicies } from '../../../../hooks'; -import type { AgentPolicy, NewAgentPolicy, PackageInfo } from '../../../../types'; -import { AgentPolicyIntegrationForm } from '../../components'; -import type { ValidationResults } from '../../components/agent_policy_validation'; -import { SO_SEARCH_LIMIT } from '../../../../constants'; -import { incrementPolicyName } from '../../../../services'; +import { useGetAgentPolicies } from '../../../../../hooks'; +import type { AgentPolicy, NewAgentPolicy, PackageInfo } from '../../../../../types'; +import { AgentPolicyIntegrationForm } from '../../../components'; +import { SO_SEARCH_LIMIT } from '../../../../../constants'; +import type { ValidationResults } from '../../../components/agent_policy_validation'; + +import { incrementPolicyName } from '../../../../../services'; import { StepSelectAgentPolicy } from './step_select_agent_policy'; diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/add_first_integration_splash.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/add_first_integration_splash.tsx index b0dd98fc4de10..bc265c11b18c6 100644 --- a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/add_first_integration_splash.tsx +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/add_first_integration_splash.tsx @@ -10,18 +10,16 @@ import useWindowSize from 'react-use/lib/useWindowSize'; import { FormattedMessage } from '@kbn/i18n-react'; import type { EuiImageProps } from '@elastic/eui'; + import { EuiImage, EuiTitle, - EuiBottomBar, EuiFlexGroup, EuiFlexItem, - EuiButton, EuiStepNumber, EuiText, EuiSpacer, EuiLink, - EuiButtonEmpty, EuiHideFor, EuiShowFor, isWithinMaxBreakpoint, @@ -35,6 +33,8 @@ import { WithHeaderLayout } from '../../../../../layouts'; import { useStartServices } from '../../../../../hooks'; import type { RequestError } from '../../../../../hooks'; +import { CreatePackagePolicyBottomBar } from '.'; + const CentralTitle = styled('h1')` text-align: center; `; @@ -207,12 +207,6 @@ const AddIntegrationStepsIllustrations = () => { ); }; -const CenteredRoundedBottomBar = styled(EuiBottomBar)` - max-width: 820px; - margin: 0 auto; - border-radius: 8px 8px 0px 0px; -`; - const NotObscuredByBottomBar = styled('div')` padding-bottom: 100px; `; @@ -222,10 +216,10 @@ const CenteredLearnMoreLink = () => { return ( - + @@ -233,47 +227,9 @@ const CenteredLearnMoreLink = () => { ); }; -const InstallBottomBar: React.FC<{ - isLoading: boolean; - cancelClickHandler: React.ReactEventHandler; - cancelUrl: string; - onNext: () => void; -}> = ({ isLoading, onNext, cancelClickHandler, cancelUrl }) => ( - - - - - {/* eslint-disable-next-line @elastic/eui/href-or-on-click */} - - - - - - - - {isLoading ? ( - - ) : ( - - )} - - - - -); - export const AddFirstIntegrationSplashScreen: React.FC<{ integrationInfo?: RegistryPolicyTemplate; - error: RequestError | null; + error?: RequestError | null; packageInfo?: PackageInfo; isLoading: boolean; cancelClickHandler: React.ReactEventHandler; @@ -320,11 +276,18 @@ export const AddFirstIntegrationSplashScreen: React.FC<{ - + } /> {packageInfo && ( void; + noAnimation?: boolean; + loadingMessage?: React.ReactElement; +}> = ({ + isLoading, + loadingMessage, + onNext, + cancelClickHandler, + cancelUrl, + actionMessage, + isDisabled = false, + noAnimation = false, +}) => { + const Bar = noAnimation ? NoAnimationCenteredRoundedBottomBar : CenteredRoundedBottomBar; + return ( + + + + + {/* eslint-disable-next-line @elastic/eui/href-or-on-click */} + + + + + + + + {isLoading + ? loadingMessage || ( + + ) + : actionMessage} + + + + + ); +}; + +export const CreatePackagePolicyFinalBottomBar: React.FC<{ + pkgkey: string; +}> = ({ pkgkey }) => { + const { getHref } = useLink(); + return ( + + + + + + + + + + + + + + + + + ); +}; + +export const AgentDataTimedOutBottomBar: React.FC<{ + troubleshootLink: string; + agentIds: string[]; + integration?: string; +}> = ({ troubleshootLink, agentIds, integration }) => { + const discoverLogsLink = useGetDiscoverLogsLinkForAgents(agentIds); + + return ( + + + + + + + + + + + + + + + ); +}; diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/confirm_incoming_data_timeout.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/confirm_incoming_data_timeout.tsx new file mode 100644 index 0000000000000..a5ae2e2ed5e8a --- /dev/null +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/confirm_incoming_data_timeout.tsx @@ -0,0 +1,75 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; + +import { EuiLink, EuiText, EuiTitle } from '@elastic/eui'; +import { FormattedMessage } from '@kbn/i18n-react'; + +import type { PackageInfo } from '../../../../../../../../common'; + +import { useGetDiscoverLogsLinkForAgents } from '../hooks'; + +import { AgentDataTimedOutBottomBar, NotObscuredByBottomBar } from './bottom_bar'; + +interface Props { + agentIds: string[]; + troubleshootLink: string; + packageInfo?: PackageInfo; +} + +export const ConfirmIncomingDataTimeout: React.FunctionComponent = ({ + agentIds, + troubleshootLink, + packageInfo, +}) => { + const discoverLogsLink = useGetDiscoverLogsLinkForAgents(agentIds); + + return ( + <> + +

+ +

+ + + + + + ), + discoverLink: ( + + + + ), + }} + /> + + + + + ); +}; diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/confirm_incoming_data_with_preview.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/confirm_incoming_data_with_preview.tsx new file mode 100644 index 0000000000000..6cb678b6885b2 --- /dev/null +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/confirm_incoming_data_with_preview.tsx @@ -0,0 +1,213 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; +import { + EuiCallOut, + EuiText, + EuiSpacer, + EuiLink, + EuiLoadingContent, + EuiLoadingSpinner, + EuiHorizontalRule, + EuiFlexGroup, + EuiFlexItem, + formatDate, + EuiDescriptionList, +} from '@elastic/eui'; +import { FormattedMessage } from '@kbn/i18n-react'; +import { i18n } from '@kbn/i18n'; +import { getFlattenedObject } from '@kbn/std'; +import omit from 'lodash/omit'; +import type { SearchHit } from '@kbn/core/types/elasticsearch'; + +import styled from 'styled-components'; + +import type { PackageInfo } from '../../../../../../../../common'; + +import { + useGetAgentIncomingData, + usePollingIncomingData, +} from '../../../../../../../components/agent_enrollment_flyout/use_get_agent_incoming_data'; + +import { ConfirmIncomingDataTimeout } from './confirm_incoming_data_timeout'; + +interface Props { + agentIds: string[]; + packageInfo?: PackageInfo; + agentDataConfirmed: boolean; + setAgentDataConfirmed: (v: boolean) => void; + troubleshootLink: string; +} +const MAX_AGENT_DATA_PREVIEW_COUNT = 5; +// make room for more interesting keys in the UI +const DATA_PREVIEW_OMIT_KEYS = [ + 'agent.ephemeral_id', + 'agent.id', + 'elastic_agent.id', + 'data_stream.namespace', + '@timestamp', +]; + +const CleanOverflowDescriptionList = styled(EuiDescriptionList)` + overflow: hidden; + max-height: 125px; + word-break: break-all; + white-space: pre-wrap; +`; + +// &&& increases the style priority +const CompressedPre = styled('pre')` + &&& { + background: none; + padding: 0 0; + } +`; + +const HitPreview: React.FC<{ hit: SearchHit }> = ({ hit }) => { + const hitForDisplay = omit( + getFlattenedObject(hit._source as Record), + DATA_PREVIEW_OMIT_KEYS + ); + const listItems = Object.entries(hitForDisplay).map(([key, value]) => ({ + title: `${key}:`, + description: value, + })); + + return ( + 
+      
+        
+      
+
+ ); +}; + +const HitTimestamp: React.FC<{ hit: SearchHit }> = ({ hit }) => { + const source = (hit?._source as Record) || {}; + const timestamp = source?.['@timestamp'] || '-'; + return ( + + + {timestamp ? formatDate(timestamp, 'MMM D, YYYY @ HH:mm:ss.SSS') : '-'} + + + ); +}; + +const AgentDataPreview: React.FC<{ dataPreview: SearchHit[] }> = ({ dataPreview }) => { + const previewData = dataPreview.slice(0, MAX_AGENT_DATA_PREVIEW_COUNT); + return ( + <> + {previewData.map((hit) => ( +
+ + + + + + + + + + +
+ ))} + + ); +}; + +export const ConfirmIncomingDataWithPreview: React.FunctionComponent = ({ + agentIds, + packageInfo, + agentDataConfirmed, + setAgentDataConfirmed, + troubleshootLink, +}) => { + const { incomingData, dataPreview, isLoading, hasReachedTimeout } = usePollingIncomingData( + agentIds, + true, + MAX_AGENT_DATA_PREVIEW_COUNT + ); + const { enrolledAgents, numAgentsWithData } = useGetAgentIncomingData(incomingData, packageInfo); + + if (!isLoading && enrolledAgents > 0 && numAgentsWithData > 0) { + setAgentDataConfirmed(true); + } + if (!agentDataConfirmed) { + return ( + <> + + + } + /> + + {hasReachedTimeout ? ( + + ) : ( + + + + ), + }} + /> + )} + + + + + ); + } + + return ( + <> + + + +

+ +

+ + + + + ); +}; diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/horizontal_page_steps.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/horizontal_page_steps.tsx new file mode 100644 index 0000000000000..8e33dcff5616e --- /dev/null +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/horizontal_page_steps.tsx @@ -0,0 +1,62 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import React from 'react'; +import { EuiStepsHorizontal } from '@elastic/eui'; +import type { EuiStepsHorizontalProps } from '@elastic/eui'; +import styled from 'styled-components'; + +// polyfill until https://github.com/elastic/eui/discussions/5836 implemented +const NumberlessHorizontalSteps = styled(EuiStepsHorizontal)` + .euiStepNumber { + color: transparent; + width: 16px; + height: 16px; + outline-color: #07c; + } + .euiStepHorizontal::before { + width: calc(50% - 8px); + top: 32px; + } + .euiStepHorizontal::after { + width: calc(50% - 8px); + top: 32px; + } + .euiStepHorizontal { + padding: 25px 16px 16px; + } + .euiStepHorizontal-isIncomplete .euiStepHorizontal__title { + color: #69707d; + } +`; +const getStepStatus = (currentStep: number, stepIndex: number, currentStepComplete: boolean) => { + if (currentStep === stepIndex) { + if (currentStepComplete) return 'complete'; + return 'current'; + } + + if (currentStep > stepIndex) { + return 'complete'; + } + + return 'incomplete'; +}; + +export const PageSteps: React.FC<{ + steps: string[]; + currentStep?: number; + currentStepComplete?: boolean; +}> = ({ steps: stepTitles, currentStep = 0, currentStepComplete = false }) => { + const steps = stepTitles.map((title, index) => { + return { + title, + status: getStepStatus(currentStep, index, currentStepComplete), + onClick: () => {}, + }; + }) as EuiStepsHorizontalProps['steps']; + + return ; +}; diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/index.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/index.tsx new file mode 100644 index 0000000000000..5ef1c7d9d4182 --- /dev/null +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/index.tsx @@ -0,0 +1,14 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export * from './add_first_integration_splash'; +export * from './bottom_bar'; +export * from './multi_page_steps_layout'; +export * from './horizontal_page_steps'; +export * from './page_steps'; +export * from './standalone_mode_warning_callout'; +export * from './confirm_incoming_data_with_preview'; diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/multi_page_steps_layout.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/multi_page_steps_layout.tsx new file mode 100644 index 0000000000000..2ed48b4d3bb59 --- /dev/null +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/multi_page_steps_layout.tsx @@ -0,0 +1,77 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import React from 'react'; + +import { FormattedMessage } from '@kbn/i18n-react'; + +import { EuiTitle, EuiSpacer } from '@elastic/eui'; + +import { IntegrationBreadcrumb } from '../../components'; +import { pkgKeyFromPackageInfo } from '../../../../../services'; +import { Error } from '../../../../../components'; +import { WithHeaderLayout } from '../../../../../layouts'; + +import type { MultiPageStepLayoutProps } from '../types'; + +import { PageSteps } from '.'; + +export const MultiPageStepsLayout: React.FunctionComponent = (props) => { + const { packageInfo, integrationInfo, steps, currentStep, error } = props; + + if (error) { + return ( + + } + error={error} + /> + ); + } + + const StepComponent = steps[currentStep].component; + const topContent = ( + <> + +

+ +

+ + + s.title)} /> + + + ); + + const maxWidth = 866; + return ( + + + + {packageInfo && ( + + )} + + ); +}; diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/page_steps/add_integration.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/page_steps/add_integration.tsx new file mode 100644 index 0000000000000..90f4de5a08b99 --- /dev/null +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/page_steps/add_integration.tsx @@ -0,0 +1,251 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React, { useCallback, useState, useEffect } from 'react'; +import { FormattedMessage } from '@kbn/i18n-react'; +import { EuiSpacer, EuiButtonEmpty, EuiFlexItem, EuiFlexGroup } from '@elastic/eui'; +import { safeLoad } from 'js-yaml'; + +import { i18n } from '@kbn/i18n'; + +import type { MultiPageStepLayoutProps } from '../../types'; +import type { PackagePolicyFormState } from '../../../types'; +import type { NewPackagePolicy } from '../../../../../../types'; +import { sendCreatePackagePolicy, useStartServices } from '../../../../../../hooks'; +import type { RequestError } from '../../../../../../hooks'; +import { Error } from '../../../../../../components'; +import { sendGeneratePackagePolicy } from '../../hooks'; +import { CreatePackagePolicyBottomBar, StandaloneModeWarningCallout } from '..'; +import type { PackagePolicyValidationResults } from '../../../services'; +import { validatePackagePolicy, validationHasErrors } from '../../../services'; +import { NotObscuredByBottomBar } from '..'; +import { StepConfigurePackagePolicy, StepDefinePackagePolicy } from '../../../components'; + +const ExpandableAdvancedSettings: React.FC = ({ children }) => { + const [isShowingAdvanced, setIsShowingAdvanced] = useState(false); + + return ( + + + + + {/* intentionally empty */} + + setIsShowingAdvanced(!isShowingAdvanced)} + flush="left" + > + + + + + + {isShowingAdvanced && {children}} + + + ); +}; +const AddIntegrationError: React.FC<{ error: Error | string; title?: JSX.Element }> = ({ + error, + title, +}) => ( + + ) + } + error={error} + /> +); + +export const AddIntegrationPageStep: React.FC = (props) => { + const { onNext, onBack, isManaged, setIsManaged, packageInfo, integrationInfo, agentPolicy } = + props; + + const [basePolicyError, setBasePolicyError] = useState(); + + const { notifications } = useStartServices(); + const [formState, setFormState] = useState('VALID'); + const [validationResults, setValidationResults] = useState(); + + const [packagePolicy, setPackagePolicy] = useState({ + name: '', + description: '', + namespace: 'default', + policy_id: '', + enabled: true, + output_id: '', + inputs: [], + }); + + // Update package policy validation + const updatePackagePolicyValidation = useCallback( + (newPackagePolicy?: NewPackagePolicy) => { + const newValidationResult = validatePackagePolicy( + { ...packagePolicy, ...newPackagePolicy }, + packageInfo, + safeLoad + ); + setValidationResults(newValidationResult); + // eslint-disable-next-line no-console + console.debug('Package policy validation results', newValidationResult); + + return newValidationResult; + }, + [packageInfo, packagePolicy] + ); + // Update package policy method + const updatePackagePolicy = useCallback( + (updatedFields: Partial) => { + const newPackagePolicy = { + ...packagePolicy, + ...updatedFields, + } as NewPackagePolicy; + setPackagePolicy(newPackagePolicy); + + // eslint-disable-next-line no-console + console.debug('Package policy updated', newPackagePolicy); + const newValidationResults = updatePackagePolicyValidation(newPackagePolicy); + const hasPackage = newPackagePolicy.package; + const hasValidationErrors = newValidationResults + ? validationHasErrors(newValidationResults) + : false; + if (hasPackage && !hasValidationErrors) { + setFormState('VALID'); + } else { + setFormState('INVALID'); + } + }, + [packagePolicy, updatePackagePolicyValidation] + ); + + // Save package policy + const savePackagePolicy = async (pkgPolicy: NewPackagePolicy) => { + setFormState('LOADING'); + const result = await sendCreatePackagePolicy(pkgPolicy); + setFormState('SUBMITTED'); + return result; + }; + + const onSubmit = useCallback(async () => { + const hasErrors = validationResults ? validationHasErrors(validationResults) : false; + + if (formState === 'VALID' && hasErrors) { + setFormState('INVALID'); + return; + } + setFormState('LOADING'); + + const { error } = await savePackagePolicy(packagePolicy); + if (error) { + notifications.toasts.addError(error, { + title: 'Error', + }); + setFormState('VALID'); + } else { + onNext(); + } + }, [validationResults, formState, packagePolicy, notifications.toasts, onNext]); + + useEffect(() => { + const getBasePolicy = async () => { + if (!agentPolicy) { + return; + } + const { packagePolicy: basePackagePolicy, error } = await sendGeneratePackagePolicy( + agentPolicy.id, + packageInfo, + integrationInfo?.name + ); + + if (error) { + setBasePolicyError(error); + } + updatePackagePolicy(basePackagePolicy); + }; + getBasePolicy(); + }, []); // eslint-disable-line react-hooks/exhaustive-deps + + if (!agentPolicy) { + return ( + + ); + } + if (basePolicyError) { + return ; + } + + return ( + <> + {isManaged ? null : } + + + {validationResults && ( + + + + )} + + setIsManaged(true)} + onNext={onSubmit} + isLoading={formState === 'LOADING'} + isDisabled={formState === 'INVALID'} + loadingMessage={ + + } + actionMessage={ + isManaged ? ( + + ) : ( + + ) + } + /> + + ); +}; diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/page_steps/confirm_data.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/page_steps/confirm_data.tsx new file mode 100644 index 0000000000000..ce40b87e4e512 --- /dev/null +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/page_steps/confirm_data.tsx @@ -0,0 +1,46 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React, { useState } from 'react'; + +import type { MultiPageStepLayoutProps } from '../../types'; +import { useStartServices } from '../../../../../../hooks'; + +import { + ConfirmIncomingDataWithPreview, + CreatePackagePolicyFinalBottomBar, + NotObscuredByBottomBar, +} from '..'; + +export const ConfirmDataPageStep: React.FC = (props) => { + const { enrolledAgentIds, packageInfo } = props; + const core = useStartServices(); + + const [agentDataConfirmed, setAgentDataConfirmed] = useState(false); + const { docLinks } = core; + const troubleshootLink = docLinks.links.fleet.troubleshooting; + return ( + <> + + + {!!agentDataConfirmed && ( + <> + + + + )} + + ); +}; diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/page_steps/index.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/page_steps/index.tsx new file mode 100644 index 0000000000000..b0a97d8c7d0a5 --- /dev/null +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/page_steps/index.tsx @@ -0,0 +1,10 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export { InstallElasticAgentPageStep } from './install_agent'; +export { AddIntegrationPageStep } from './add_integration'; +export { ConfirmDataPageStep } from './confirm_data'; diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/page_steps/install_agent/index.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/page_steps/install_agent/index.tsx new file mode 100644 index 0000000000000..f63dd30ec1e34 --- /dev/null +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/page_steps/install_agent/index.tsx @@ -0,0 +1,54 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import React from 'react'; +import { useState } from 'react'; + +import type { MultiPageStepLayoutProps } from '../../../types'; + +import { usePollingAgentCount } from '../../../../../../../../../components/agent_enrollment_flyout/confirm_agent_enrollment'; + +import { InstallElasticAgentManagedPageStep } from './install_agent_managed'; +import { InstallElasticAgentStandalonePageStep } from './install_agent_standalone'; + +export const InstallElasticAgentPageStep: React.FC = (props) => { + const [localIsManaged, setLocalIsManaged] = useState(props.isManaged); + const [useLocalState, setUseLocalState] = useState(false); + + const enrolledAgentIds = usePollingAgentCount(props.agentPolicy?.id || '', { + noLowerTimeLimit: true, + pollImmediately: true, + }); + const onNext = () => { + props.setEnrolledAgentIds(enrolledAgentIds); + props.onNext(); + }; + + const managedPageProps = { + ...props, + onNext, + enrolledAgentIds, + setIsManaged: useLocalState ? setLocalIsManaged : props.setIsManaged, + }; + if (localIsManaged) { + return ; + } + const standalonePageProps = { + ...props, + onNext, + enrolledAgentIds, + setIsManaged: (newIsManaged: boolean) => { + if (newIsManaged) { + // once you are in the standalone set of steps and the package policy + // has been created, there is no going back to the managed steps. + // instead only this page view is toggled. + setUseLocalState(true); + } + setLocalIsManaged(newIsManaged); + }, + }; + return ; +}; diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/page_steps/install_agent/install_agent_managed.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/page_steps/install_agent/install_agent_managed.tsx new file mode 100644 index 0000000000000..0bec2892d688d --- /dev/null +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/page_steps/install_agent/install_agent_managed.tsx @@ -0,0 +1,117 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React, { useMemo, useState } from 'react'; +import { FormattedMessage } from '@kbn/i18n-react'; +import { EuiText, EuiLink, EuiSteps, EuiSpacer } from '@elastic/eui'; + +import { Error } from '../../../../../../../components'; +import { useKibanaVersion, useStartServices } from '../../../../../../../../../hooks'; +import { CreatePackagePolicyBottomBar, NotObscuredByBottomBar } from '../..'; +import { + InstallManagedAgentStep, + AgentEnrollmentConfirmationStep, +} from '../../../../../../../../../components/agent_enrollment_flyout/steps'; +import { ManualInstructions } from '../../../../../../../../../components/enrollment_instructions'; + +import type { InstallAgentPageProps } from './types'; + +export const InstallElasticAgentManagedPageStep: React.FC = (props) => { + const { + cancelUrl, + onNext, + cancelClickHandler, + setIsManaged, + agentPolicy, + enrollmentAPIKey, + settings, + enrolledAgentIds, + } = props; + + const core = useStartServices(); + const { docLinks } = core; + const link = docLinks.links.fleet.troubleshooting; + + const kibanaVersion = useKibanaVersion(); + + const [commandCopied, setCommandCopied] = useState(false); + + const fleetServerHosts = useMemo(() => { + return settings?.fleet_server_hosts || []; + }, [settings]); + + if (!enrollmentAPIKey) { + return ( + + } + error={'Enrollment API key not found'} + /> + ); + } + + const installManagedCommands = ManualInstructions( + enrollmentAPIKey.api_key, + fleetServerHosts, + kibanaVersion + ); + + const steps = [ + InstallManagedAgentStep({ + installCommand: installManagedCommands, + apiKeyData: { item: enrollmentAPIKey }, + selectedApiKeyId: enrollmentAPIKey.id, + isComplete: commandCopied || !!enrolledAgentIds.length, + fullCopyButton: true, + onCopy: () => setCommandCopied(true), + }), + AgentEnrollmentConfirmationStep({ + selectedPolicyId: agentPolicy?.id, + troubleshootLink: link, + agentCount: enrolledAgentIds.length, + showLoading: true, + poll: commandCopied, + }), + ]; + + return ( + <> + + setIsManaged(false)}>standalone mode, + }} + /> + + + + {!!enrolledAgentIds.length && ( + <> + + + } + /> + + )} + + ); +}; diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/page_steps/install_agent/install_agent_standalone.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/page_steps/install_agent/install_agent_standalone.tsx new file mode 100644 index 0000000000000..2f2fd06665232 --- /dev/null +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/page_steps/install_agent/install_agent_standalone.tsx @@ -0,0 +1,147 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React, { useState, useEffect } from 'react'; +import { FormattedMessage } from '@kbn/i18n-react'; +import { EuiSteps, EuiSpacer } from '@elastic/eui'; +import { safeDump } from 'js-yaml'; + +import type { FullAgentPolicy } from '../../../../../../../../../../common/types/models/agent_policy'; + +import { + CreatePackagePolicyBottomBar, + StandaloneModeWarningCallout, + NotObscuredByBottomBar, +} from '../..'; +import { + fullAgentPolicyToYaml, + agentPolicyRouteService, +} from '../../../../../../../../../services'; + +import { Error as FleetError } from '../../../../../../../components'; +import { + useKibanaVersion, + useStartServices, + sendGetOneAgentPolicyFull, +} from '../../../../../../../../../hooks'; +import { + InstallStandaloneAgentStep, + AgentEnrollmentConfirmationStep, + ConfigureStandaloneAgentStep, +} from '../../../../../../../../../components/agent_enrollment_flyout/steps'; +import { StandaloneInstructions } from '../../../../../../../../../components/enrollment_instructions'; + +import type { InstallAgentPageProps } from './types'; + +export const InstallElasticAgentStandalonePageStep: React.FC = (props) => { + const { onBack, onNext, setIsManaged, agentPolicy, enrolledAgentIds } = props; + const core = useStartServices(); + const kibanaVersion = useKibanaVersion(); + const { docLinks } = core; + const [yaml, setYaml] = useState(''); + const link = docLinks.links.fleet.troubleshooting; + const [commandCopied, setCommandCopied] = useState(false); + const [policyCopied, setPolicyCopied] = useState(false); + const [fullAgentPolicy, setFullAgentPolicy] = useState(); + + useEffect(() => { + async function fetchFullPolicy() { + try { + if (!agentPolicy?.id) { + return; + } + const query = { standalone: true, kubernetes: false }; + const res = await sendGetOneAgentPolicyFull(agentPolicy?.id, query); + if (res.error) { + throw res.error; + } + + if (!res.data) { + throw new Error('No data while fetching full agent policy'); + } + setFullAgentPolicy(res.data.item); + } catch (error) { + core.notifications.toasts.addError(error, { + title: 'Error', + }); + } + } + fetchFullPolicy(); + }, [core.http.basePath, agentPolicy?.id, core.notifications.toasts]); + + useEffect(() => { + if (!fullAgentPolicy) { + return; + } + + setYaml(fullAgentPolicyToYaml(fullAgentPolicy, safeDump)); + }, [fullAgentPolicy]); + + if (!agentPolicy) { + return ( + + } + error={'Agent policy not provided'} + /> + ); + } + + const installManagedCommands = StandaloneInstructions(kibanaVersion); + + const downloadLink = core.http.basePath.prepend( + `${agentPolicyRouteService.getInfoFullDownloadPath(agentPolicy?.id)}?standalone=true` + ); + const steps = [ + ConfigureStandaloneAgentStep({ + selectedPolicyId: agentPolicy?.id, + yaml, + downloadLink, + isComplete: policyCopied, + onCopy: () => setPolicyCopied(true), + }), + InstallStandaloneAgentStep({ + installCommand: installManagedCommands, + isComplete: yaml && commandCopied, + fullCopyButton: true, + onCopy: () => setCommandCopied(true), + }), + AgentEnrollmentConfirmationStep({ + selectedPolicyId: agentPolicy?.id, + troubleshootLink: link, + agentCount: enrolledAgentIds.length, + showLoading: true, + }), + ]; + + return ( + <> + + + + {!!enrolledAgentIds.length && ( + <> + + + } + /> + + )} + + ); +}; diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_management/selectors.ts b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/page_steps/install_agent/types.ts similarity index 50% rename from x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_management/selectors.ts rename to x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/page_steps/install_agent/types.ts index 5c7dc8360ec9f..f5d955a7f3f5a 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_management/selectors.ts +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/page_steps/install_agent/types.ts @@ -4,9 +4,9 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { SyntheticsAppState } from '../root_reducer'; -export const monitorListSelector = (state: SyntheticsAppState) => state.monitorList.data; +import type { MultiPageStepLayoutProps } from '../../../types'; -export const serviceLocationsSelector = (state: SyntheticsAppState) => - state.serviceLocations.locations; +export type InstallAgentPageProps = MultiPageStepLayoutProps & { + enrolledAgentIds: string[]; +}; diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/standalone_mode_warning_callout.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/standalone_mode_warning_callout.tsx new file mode 100644 index 0000000000000..41e85ad63798d --- /dev/null +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/components/standalone_mode_warning_callout.tsx @@ -0,0 +1,38 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import React from 'react'; +import { FormattedMessage } from '@kbn/i18n-react'; +import { EuiText, EuiCallOut, EuiLink, EuiButton, EuiSpacer } from '@elastic/eui'; + +import type { MultiPageStepLayoutProps } from '../types'; + +export const StandaloneModeWarningCallout: React.FC<{ + setIsManaged: MultiPageStepLayoutProps['setIsManaged']; +}> = ({ setIsManaged }) => { + return ( + + + Fleet-managed agents }} + /> + + + setIsManaged(true)} color="primary"> + + + + ); +}; diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/hooks/index.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/hooks/index.tsx new file mode 100644 index 0000000000000..e795f03e2f4b6 --- /dev/null +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/hooks/index.tsx @@ -0,0 +1,10 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export { sendGeneratePackagePolicy } from './send_generate_package_policy'; +export { useGetAgentPolicyOrDefault } from './use_get_agent_policy_or_default'; +export { useGetDiscoverLogsLinkForAgents } from './use_get_logs_discover_link'; diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/hooks/send_generate_package_policy.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/hooks/send_generate_package_policy.tsx new file mode 100644 index 0000000000000..5b51416c7f850 --- /dev/null +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/hooks/send_generate_package_policy.tsx @@ -0,0 +1,52 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { NewPackagePolicy, PackageInfo } from '../../../../../types'; + +import { PACKAGE_POLICY_SAVED_OBJECT_TYPE } from '../../../../../../../constants'; +import { SO_SEARCH_LIMIT, getMaxPackageName } from '../../../../../../../../common'; +import { packageToPackagePolicy } from '../../../../../services'; +import { sendGetPackagePolicies } from '../../../../../hooks'; + +export const sendGeneratePackagePolicy = async ( + agentPolicyId: string, + packageInfo: PackageInfo, + integrationToEnable?: string +) => { + const { data: packagePolicyData, error } = await sendGetPackagePolicies({ + perPage: SO_SEARCH_LIMIT, + page: 1, + kuery: `${PACKAGE_POLICY_SAVED_OBJECT_TYPE}.package.name:${packageInfo.name}`, + }); + + const incrementedName = getMaxPackageName(packageInfo.name, packagePolicyData?.items); + + const defaultPolicy: NewPackagePolicy = { + name: incrementedName, + description: '', + namespace: 'default', + policy_id: agentPolicyId, + enabled: true, + output_id: '', + inputs: [], + }; + + const packagePolicy = packageToPackagePolicy( + packageInfo, + agentPolicyId, + defaultPolicy.output_id, + defaultPolicy.namespace, + defaultPolicy.name, + defaultPolicy.description, + integrationToEnable + ); + + return { + packagePolicy, + error, + }; +}; diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/hooks/use_get_agent_policy_or_default.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/hooks/use_get_agent_policy_or_default.tsx new file mode 100644 index 0000000000000..1c3fb2ea3dc03 --- /dev/null +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/hooks/use_get_agent_policy_or_default.tsx @@ -0,0 +1,118 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { useEffect, useState } from 'react'; + +import { + sendCreateAgentPolicy, + sendGetOneAgentPolicy, + sendGetEnrollmentAPIKeys, +} from '../../../../../../../hooks'; + +import type { AgentPolicy, NewAgentPolicy, EnrollmentAPIKey } from '../../../../../../../types'; + +interface UseGetAgentPolicyOrDefaultResponse { + isLoading: boolean; + error?: Error; + agentPolicy?: AgentPolicy; + enrollmentAPIKey?: EnrollmentAPIKey; + created?: boolean; +} +export const DEFAULT_AGENT_POLICY_ID: string = 'fleet-first-agent-policy'; +export const DEFAULT_AGENT_POLICY: NewAgentPolicy = Object.freeze({ + id: DEFAULT_AGENT_POLICY_ID, + name: 'My first agent policy', + namespace: 'default', +}); + +const sendGetAgentPolicy = async (agentPolicyId: string) => { + let result; + let error; + try { + result = await sendGetOneAgentPolicy(agentPolicyId); + if (result.error) { + error = result.error; + } + } catch (e) { + error = e; + } + + if (error && error.statusCode !== 404) { + return { error }; + } + + return { data: result?.data }; +}; + +const sendCreateDefaultAgentPolicy = sendCreateAgentPolicy.bind(null, DEFAULT_AGENT_POLICY); + +export function useGetAgentPolicyOrDefault(agentPolicyIdIn?: string) { + const [result, setResult] = useState({ isLoading: true }); + + useEffect(() => { + const getAgentPolicyOrDefault = async () => { + const agentPolicyId = agentPolicyIdIn || DEFAULT_AGENT_POLICY_ID; + const { data: agentPolicyData, error: getError } = await sendGetAgentPolicy(agentPolicyId); + + const existingAgentPolicy = agentPolicyData?.item; + + if (agentPolicyIdIn && !existingAgentPolicy) { + setResult({ + isLoading: false, + error: new Error(`Agent policy ${agentPolicyId} not found`), + }); + return; + } + let createdAgentPolicy; + if (getError) { + setResult({ isLoading: false, error: getError }); + return; + } + + if (!existingAgentPolicy) { + const { data: createdAgentPolicyData, error: createError } = + await sendCreateDefaultAgentPolicy(); + + if (createError) { + setResult({ isLoading: false, error: createError }); + return; + } + + createdAgentPolicy = createdAgentPolicyData!.item; + } + + const agentPolicy = (existingAgentPolicy || createdAgentPolicy) as AgentPolicy; + + const { data: apiKeysData, error: apiKeysError } = await sendGetEnrollmentAPIKeys({ + page: 1, + perPage: 1, + kuery: `policy_id:${agentPolicyId}`, + }); + + if (apiKeysError) { + setResult({ isLoading: false, error: apiKeysError }); + return; + } + + if (!apiKeysData || !apiKeysData.items?.length) { + setResult({ + isLoading: false, + error: new Error(`No enrollment API key found for policy ${agentPolicyId}`), + }); + return; + } + + const enrollmentAPIKey = apiKeysData.items[0]; + + setResult({ isLoading: false, created: !!createdAgentPolicy, agentPolicy, enrollmentAPIKey }); + }; + + getAgentPolicyOrDefault(); + }, [agentPolicyIdIn]); + + return result; +} diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/hooks/use_get_logs_discover_link.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/hooks/use_get_logs_discover_link.tsx new file mode 100644 index 0000000000000..2f3f2a7de0bbe --- /dev/null +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/hooks/use_get_logs_discover_link.tsx @@ -0,0 +1,47 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { useEffect, useState } from 'react'; + +import { useStartServices } from '../../../../../../../hooks'; + +export const useGetDiscoverLogsLinkForAgents = (agentIds: string[]) => { + const { discover } = useStartServices(); + const [link, setLink] = useState(null); + + useEffect(() => { + const getLink = async () => { + if (discover && discover.locator) { + const newLink = await discover.locator.getUrl({ + indexPatternId: 'logs-*', + timeRange: { + from: 'now-1h', + to: 'now', + mode: 'relative', + }, + filters: [ + { + meta: { + alias: 'Recently enrolled agents', + index: 'logs-*', + }, + query: { + terms: { + 'agent.id': agentIds, + }, + }, + }, + ], + }); + setLink(newLink); + } + }; + getLink(); + }, [discover, agentIds]); + + return link; +}; diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/index.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/index.tsx index 392d059d1cb98..28857570e58b0 100644 --- a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/index.tsx +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/index.tsx @@ -4,21 +4,69 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import React, { useMemo } from 'react'; +import React, { useMemo, useState } from 'react'; import { useRouteMatch } from 'react-router-dom'; +import { i18n } from '@kbn/i18n'; import { splitPkgKey } from '../../../../../../../common'; -import { useGetPackageInfoByKey } from '../../../../hooks'; +import { useGetPackageInfoByKey, useGetSettings } from '../../../../hooks'; import type { AddToPolicyParams, CreatePackagePolicyParams } from '../types'; import { useCancelAddPackagePolicy } from '../hooks'; -import { AddFirstIntegrationSplashScreen } from './components/add_first_integration_splash'; -export const CreatePackagePolicyMultiPage: CreatePackagePolicyParams = ({ from }) => { +import { useGetAgentPolicyOrDefault } from './hooks'; + +import { + AddFirstIntegrationSplashScreen, + MultiPageStepsLayout, + InstallElasticAgentPageStep, + AddIntegrationPageStep, + ConfirmDataPageStep, +} from './components'; + +const installAgentStep = { + title: i18n.translate('xpack.fleet.createFirstPackagePolicy.installAgentStepTitle', { + defaultMessage: 'Install Elastic Agent', + }), + component: InstallElasticAgentPageStep, +}; + +const addIntegrationStep = { + title: i18n.translate('xpack.fleet.createFirstPackagePolicy.addIntegrationStepTitle', { + defaultMessage: 'Add the integration', + }), + component: AddIntegrationPageStep, +}; + +const confirmDataStep = { + title: i18n.translate('xpack.fleet.createFirstPackagePolicy.confirmDataStepTitle', { + defaultMessage: 'Confirm incoming data', + }), + component: ConfirmDataPageStep, +}; + +const fleetManagedSteps = [installAgentStep, addIntegrationStep, confirmDataStep]; + +const standaloneSteps = [addIntegrationStep, installAgentStep, confirmDataStep]; + +export const CreatePackagePolicyMultiPage: CreatePackagePolicyParams = ({ + from, + queryParamsPolicyId, +}) => { const { params } = useRouteMatch(); const { pkgName, pkgVersion } = splitPkgKey(params.pkgkey); + const [onSplash, setOnSplash] = useState(true); + const [currentStep, setCurrentStep] = useState(0); + const [isManaged, setIsManaged] = useState(true); + const [enrolledAgentIds, setEnrolledAgentIds] = useState([]); + const toggleIsManaged = (newIsManaged: boolean) => { + setIsManaged(newIsManaged); + setCurrentStep(0); + }; + + const { isLoading: isSettingsLoading, data: settingsData } = useGetSettings(); const { data: packageInfoData, @@ -26,7 +74,15 @@ export const CreatePackagePolicyMultiPage: CreatePackagePolicyParams = ({ from } isLoading: isPackageInfoLoading, } = useGetPackageInfoByKey(pkgName, pkgVersion); + const { + agentPolicy, + enrollmentAPIKey, + error: agentPolicyError, + isLoading: isAgentPolicyLoading, + } = useGetAgentPolicyOrDefault(queryParamsPolicyId); + const packageInfo = useMemo(() => packageInfoData?.item, [packageInfoData]); + const settings = useMemo(() => settingsData?.item, [settingsData]); const integrationInfo = useMemo(() => { if (!params.integration) return; @@ -35,22 +91,64 @@ export const CreatePackagePolicyMultiPage: CreatePackagePolicyParams = ({ from } ); }, [packageInfo?.policy_templates, params]); - const splashScreenNext = () => {}; // TODO: (in following PR) this will display the add package policy steps + const splashScreenNext = () => { + setOnSplash(false); + }; const { cancelClickHandler, cancelUrl } = useCancelAddPackagePolicy({ from, pkgkey: params.pkgkey, }); + if (onSplash || !packageInfo) { + return ( + + ); + } + + const steps = isManaged ? fleetManagedSteps : standaloneSteps; + const stepsNext = () => { + if (currentStep === steps.length - 1) { + return; + } + + setCurrentStep(currentStep + 1); + }; + + const stepsBack = () => { + if (currentStep === 0) { + cancelClickHandler(null); + return; + } + + setCurrentStep(currentStep - 1); + }; + return ( - ); }; diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/types.ts b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/types.ts new file mode 100644 index 0000000000000..327be01e0b3e9 --- /dev/null +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/multi_page_layout/types.ts @@ -0,0 +1,40 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type React from 'react'; + +import type { + RegistryPolicyTemplate, + PackageInfo, + AgentPolicy, + Settings, + EnrollmentAPIKey, +} from '../../../../types'; + +export interface MultiPageStep { + title: string; + component: React.FC; +} + +export interface MultiPageStepLayoutProps { + settings?: Settings; + agentPolicy?: AgentPolicy; + error?: Error; + enrollmentAPIKey?: EnrollmentAPIKey; + packageInfo: PackageInfo; + integrationInfo?: RegistryPolicyTemplate; + cancelClickHandler: React.ReactEventHandler; + onBack: React.ReactEventHandler; + cancelUrl: string; + steps: MultiPageStep[]; + currentStep: number; + onNext: () => void; + setIsManaged: (isManaged: boolean) => void; + isManaged: boolean; + setEnrolledAgentIds: (agentIds: string[]) => void; + enrolledAgentIds: string[]; +} diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/services/has_invalid_but_required_var.test.ts b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/services/has_invalid_but_required_var.test.ts similarity index 100% rename from x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/services/has_invalid_but_required_var.test.ts rename to x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/services/has_invalid_but_required_var.test.ts diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/services/has_invalid_but_required_var.ts b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/services/has_invalid_but_required_var.ts similarity index 97% rename from x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/services/has_invalid_but_required_var.ts rename to x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/services/has_invalid_but_required_var.ts index b6557382af047..2d339013f5033 100644 --- a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/services/has_invalid_but_required_var.ts +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/services/has_invalid_but_required_var.ts @@ -7,7 +7,7 @@ import { safeLoad } from 'js-yaml'; -import type { PackagePolicyConfigRecord, RegistryVarsEntry } from '../../../../../types'; +import type { PackagePolicyConfigRecord, RegistryVarsEntry } from '../../../../types'; import { validatePackagePolicyConfig } from '.'; diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/services/index.ts b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/services/index.ts similarity index 90% rename from x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/services/index.ts rename to x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/services/index.ts index a22f2aa11da61..38ef2a60e41d0 100644 --- a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/services/index.ts +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/services/index.ts @@ -11,10 +11,10 @@ export type { PackagePolicyValidationResults, PackagePolicyConfigValidationResults, PackagePolicyInputValidationResults, -} from '../../../../../services'; +} from '../../../../services'; export { validatePackagePolicy, validatePackagePolicyConfig, validationHasErrors, countValidationErrors, -} from '../../../../../services'; +} from '../../../../services'; diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/services/is_advanced_var.test.ts b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/services/is_advanced_var.test.ts similarity index 100% rename from x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/services/is_advanced_var.test.ts rename to x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/services/is_advanced_var.test.ts diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/services/is_advanced_var.ts b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/services/is_advanced_var.ts similarity index 87% rename from x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/services/is_advanced_var.ts rename to x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/services/is_advanced_var.ts index 50ddbb2e478b5..1f72073573d7b 100644 --- a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/services/is_advanced_var.ts +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/services/is_advanced_var.ts @@ -5,7 +5,7 @@ * 2.0. */ -import type { RegistryVarsEntry } from '../../../../../types'; +import type { RegistryVarsEntry } from '../../../../types'; export const isAdvancedVar = (varDef: RegistryVarsEntry): boolean => { if (varDef.show_user || (varDef.required && varDef.default === undefined)) { diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/components/index.ts b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/components/index.ts index a53351ba2cc33..b95664f149c1f 100644 --- a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/components/index.ts +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/components/index.ts @@ -6,6 +6,4 @@ */ export { CreatePackagePolicySinglePageLayout } from './layout'; -export { PackagePolicyInputPanel } from './package_policy_input_panel'; -export { PackagePolicyInputVarField } from './package_policy_input_var_field'; export { PostInstallAddAgentModal } from './post_install_add_agent_modal'; diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/index.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/index.tsx index 9786099bd929a..5ac9d65445f09 100644 --- a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/index.tsx +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/single_page_layout/index.tsx @@ -54,12 +54,17 @@ import type { import { IntegrationBreadcrumb } from '../components'; +import type { PackagePolicyValidationResults } from '../services'; +import { validatePackagePolicy, validationHasErrors } from '../services'; + +import { + StepConfigurePackagePolicy, + StepDefinePackagePolicy, + SelectedPolicyTab, + StepSelectHosts, +} from '../components'; + import { CreatePackagePolicySinglePageLayout, PostInstallAddAgentModal } from './components'; -import type { PackagePolicyValidationResults } from './services'; -import { validatePackagePolicy, validationHasErrors } from './services'; -import { StepConfigurePackagePolicy } from './step_configure_package'; -import { StepDefinePackagePolicy } from './step_define_package_policy'; -import { SelectedPolicyTab, StepSelectHosts } from './step_select_hosts'; const StepsWithLessPadding = styled(EuiSteps)` .euiStep__content { @@ -134,7 +139,7 @@ export const CreatePackagePolicySinglePage: CreatePackagePolicyParams = ({ namespace: 'default', policy_id: '', enabled: true, - output_id: '', // TODO: Blank for now as we only support default output + output_id: '', inputs: [], }); @@ -535,7 +540,6 @@ export const CreatePackagePolicySinglePage: CreatePackagePolicyParams = ({ /> ); } - return ( diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/edit_package_policy_page/index.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/edit_package_policy_page/index.tsx index 2c3145fa492cb..8dbd07dbcd0a9 100644 --- a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/edit_package_policy_page/index.tsx +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/edit_package_policy_page/index.tsx @@ -50,17 +50,16 @@ import { import { Loading, Error, ExtensionWrapper, EuiButtonWithTooltip } from '../../../components'; import { ConfirmDeployAgentPolicyModal } from '../components'; import { CreatePackagePolicySinglePageLayout } from '../create_package_policy_page/single_page_layout/components'; -import type { PackagePolicyValidationResults } from '../create_package_policy_page/single_page_layout/services'; -import { - validatePackagePolicy, - validationHasErrors, -} from '../create_package_policy_page/single_page_layout/services'; +import type { PackagePolicyValidationResults } from '../create_package_policy_page/services'; +import { validatePackagePolicy, validationHasErrors } from '../create_package_policy_page/services'; import type { PackagePolicyFormState, EditPackagePolicyFrom, } from '../create_package_policy_page/types'; -import { StepConfigurePackagePolicy } from '../create_package_policy_page/single_page_layout/step_configure_package'; -import { StepDefinePackagePolicy } from '../create_package_policy_page/single_page_layout/step_define_package_policy'; +import { + StepConfigurePackagePolicy, + StepDefinePackagePolicy, +} from '../create_package_policy_page/components'; import type { GetOnePackagePolicyResponse, UpgradePackagePolicyDryRunResponse, diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_details_page/components/agent_logs/filter_dataset.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_details_page/components/agent_logs/filter_dataset.tsx index f49d4910ab9f9..b4677761be1a2 100644 --- a/x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_details_page/components/agent_logs/filter_dataset.tsx +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_details_page/components/agent_logs/filter_dataset.tsx @@ -8,6 +8,7 @@ import React, { memo, useState, useEffect, useCallback } from 'react'; import { EuiPopover, EuiFilterButton, EuiFilterSelectItem } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; +import type { DataView, DataViewField } from '@kbn/data-views-plugin/public'; import { useStartServices } from '../../../../../hooks'; @@ -33,8 +34,8 @@ export const DatasetFilter: React.FunctionComponent<{ indexPattern: { title: AGENT_LOG_INDEX_PATTERN, fields: [DATASET_FIELD], - }, - field: DATASET_FIELD, + } as DataView, + field: DATASET_FIELD as DataViewField, query: '', }); if (values.length > 0) setDatasetValues(values.sort()); diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_details_page/components/agent_logs/filter_log_level.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_details_page/components/agent_logs/filter_log_level.tsx index 3a25c939872f4..b512b0a5643d6 100644 --- a/x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_details_page/components/agent_logs/filter_log_level.tsx +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agents/agent_details_page/components/agent_logs/filter_log_level.tsx @@ -8,6 +8,7 @@ import React, { memo, useState, useEffect, useCallback } from 'react'; import { EuiPopover, EuiFilterButton, EuiFilterSelectItem, EuiIcon, EuiSpacer } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; +import type { DataView, DataViewField } from '@kbn/data-views-plugin/public'; import { useStartServices } from '../../../../../hooks'; @@ -44,8 +45,8 @@ export const LogLevelFilter: React.FunctionComponent<{ indexPattern: { title: AGENT_LOG_INDEX_PATTERN, fields: [LOG_LEVEL_FIELD], - }, - field: LOG_LEVEL_FIELD, + } as DataView, + field: LOG_LEVEL_FIELD as DataViewField, query: '', }); setLevelValues(sortLogLevels(values)); diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agents/components/agent_upgrade_modal/constants.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agents/components/agent_upgrade_modal/constants.tsx index 7ef2a186829c8..15722017647e9 100644 --- a/x-pack/plugins/fleet/public/applications/fleet/sections/agents/components/agent_upgrade_modal/constants.tsx +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agents/components/agent_upgrade_modal/constants.tsx @@ -23,4 +23,4 @@ export const FALLBACK_VERSIONS = [ '7.17.0', ]; -export const MAINTAINANCE_VALUES = [1, 2, 4, 8, 12, 24, 48]; +export const MAINTAINANCE_VALUES = [0, 1, 2, 4, 8, 12, 24, 48]; diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agents/components/agent_upgrade_modal/index.test.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agents/components/agent_upgrade_modal/index.test.tsx new file mode 100644 index 0000000000000..ed2689826dcd1 --- /dev/null +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agents/components/agent_upgrade_modal/index.test.tsx @@ -0,0 +1,79 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; + +import { createFleetTestRendererMock } from '../../../../../../mock'; + +import { AgentUpgradeAgentModal } from '.'; +import type { AgentUpgradeAgentModalProps } from '.'; + +jest.mock('../../../../../../hooks/use_fleet_status', () => ({ + FleetStatusProvider: (props: any) => { + return props.children; + }, + useFleetStatus: jest.fn().mockReturnValue({}), +})); + +jest.mock('@elastic/eui', () => { + return { + ...jest.requireActual('@elastic/eui'), + EuiConfirmModal: ({ children }: any) => <>{children}, + }; +}); + +function renderAgentUpgradeAgentModal(props: Partial) { + const renderer = createFleetTestRendererMock(); + + const utils = renderer.render( + {}} {...props} /> + ); + + return { utils }; +} +describe('AgentUpgradeAgentModal', () => { + it('should set the default to Immediately if there is less than 10 agents using kuery', async () => { + const { utils } = renderAgentUpgradeAgentModal({ + agents: '*', + agentCount: 3, + }); + + const el = utils.container.querySelector( + '[data-test-subj="agentUpgradeModal.MaintainanceCombobox"]' + ); + expect(el).not.toBeNull(); + expect(el?.textContent).toBe('Immediately'); + }); + + it('should set the default to Immediately if there is less than 10 agents using selected agents', async () => { + const { utils } = renderAgentUpgradeAgentModal({ + agents: [{ id: 'agent1' }, { id: 'agent2' }] as any, + agentCount: 3, + }); + + const el = utils.container.querySelector( + '[data-test-subj="agentUpgradeModal.MaintainanceCombobox"]' + ); + expect(el).not.toBeNull(); + expect(el).not.toBeNull(); + expect(el?.textContent).toBe('Immediately'); + }); + + it('should set the default to 1 hour if there is more than 10 agents', async () => { + const { utils } = renderAgentUpgradeAgentModal({ + agents: '*', + agentCount: 13, + }); + + const el = utils.container.querySelector( + '[data-test-subj="agentUpgradeModal.MaintainanceCombobox"]' + ); + + expect(el).not.toBeNull(); + expect(el?.textContent).toBe('1 hour'); + }); +}); diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agents/components/agent_upgrade_modal/index.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agents/components/agent_upgrade_modal/index.tsx index 09d9494d1703f..686b0e8b1003e 100644 --- a/x-pack/plugins/fleet/public/applications/fleet/sections/agents/components/agent_upgrade_modal/index.tsx +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agents/components/agent_upgrade_modal/index.tsx @@ -25,8 +25,10 @@ import { FormattedMessage } from '@kbn/i18n-react'; import type { EuiComboBoxOptionOption } from '@elastic/eui'; import semverCoerce from 'semver/functions/coerce'; -import semverLt from 'semver/functions/lt'; +import semverGt from 'semver/functions/gt'; +import semverValid from 'semver/functions/valid'; +import { getMinVersion } from '../../../../../../../common/services/get_min_max_version'; import type { Agent } from '../../../../types'; import { sendPostAgentUpgrade, @@ -37,7 +39,7 @@ import { import { FALLBACK_VERSIONS, MAINTAINANCE_VALUES } from './constants'; -interface Props { +export interface AgentUpgradeAgentModalProps { onClose: () => void; agents: Agent[] | string; agentCount: number; @@ -46,7 +48,7 @@ interface Props { const getVersion = (version: Array>) => version[0]?.value as string; -export const AgentUpgradeAgentModal: React.FunctionComponent = ({ +export const AgentUpgradeAgentModal: React.FunctionComponent = ({ onClose, agents, agentCount, @@ -58,19 +60,35 @@ export const AgentUpgradeAgentModal: React.FunctionComponent = ({ const [errors, setErrors] = useState(); const isSingleAgent = Array.isArray(agents) && agents.length === 1; - const isSmallBatch = Array.isArray(agents) && agents.length > 1 && agents.length <= 10; + const isSmallBatch = agentCount <= 10; const isAllAgents = agents === ''; - const fallbackVersions = [kibanaVersion].concat(FALLBACK_VERSIONS); - const fallbackOptions: Array> = fallbackVersions.map( - (option) => ({ + const fallbackVersions = useMemo( + () => [kibanaVersion].concat(FALLBACK_VERSIONS), + [kibanaVersion] + ); + + const minVersion = useMemo(() => { + if (!Array.isArray(agents)) { + return getMinVersion(fallbackVersions); + } + const versions = (agents as Agent[]).map( + (agent) => agent.local_metadata?.elastic?.agent?.version + ); + return getMinVersion(versions); + }, [agents, fallbackVersions]); + + const versionOptions: Array> = useMemo(() => { + const displayVersions = minVersion + ? fallbackVersions.filter((v) => semverGt(v, minVersion)) + : fallbackVersions; + return displayVersions.map((option) => ({ label: option, value: option, - }) - ); - const maintainanceWindows = - isSmallBatch && !isScheduled ? [0].concat(MAINTAINANCE_VALUES) : MAINTAINANCE_VALUES; - const maintainanceOptions: Array> = maintainanceWindows.map( + })); + }, [fallbackVersions, minVersion]); + + const maintainanceOptions: Array> = MAINTAINANCE_VALUES.map( (option) => ({ label: option === 0 @@ -84,9 +102,9 @@ export const AgentUpgradeAgentModal: React.FunctionComponent = ({ value: option === 0 ? 0 : option * 3600, }) ); - const [selectedVersion, setSelectedVersion] = useState([fallbackOptions[0]]); + const [selectedVersion, setSelectedVersion] = useState([versionOptions[0]]); const [selectedMantainanceWindow, setSelectedMantainanceWindow] = useState([ - maintainanceOptions[0], + isSmallBatch ? maintainanceOptions[0] : maintainanceOptions[1], ]); const initialDatetime = useMemo(() => moment(), []); @@ -182,8 +200,17 @@ export const AgentUpgradeAgentModal: React.FunctionComponent = ({ } const onCreateOption = (searchValue: string) => { + if (!semverValid(searchValue)) { + return; + } + const agentVersionNumber = semverCoerce(searchValue); - if (agentVersionNumber?.version && semverLt(agentVersionNumber?.version, kibanaVersion)) { + if ( + agentVersionNumber?.version && + semverGt(kibanaVersion, agentVersionNumber?.version) && + minVersion && + semverGt(agentVersionNumber?.version, minVersion) + ) { const newOption = { label: searchValue, value: searchValue, @@ -274,9 +301,13 @@ export const AgentUpgradeAgentModal: React.FunctionComponent = ({ data-test-subj="agentUpgradeModal.VersionCombobox" fullWidth singleSelection={{ asPlainText: true }} - options={fallbackOptions} + options={versionOptions} + isClearable={false} selectedOptions={selectedVersion} onChange={(selected: Array>) => { + if (!selected.length) { + return; + } setSelectedVersion(selected); }} onCreateOption={onCreateOption} @@ -347,10 +378,14 @@ export const AgentUpgradeAgentModal: React.FunctionComponent = ({ >) => { + if (!selected.length) { + return; + } setSelectedMantainanceWindow(selected); }} /> diff --git a/x-pack/plugins/fleet/public/applications/integrations/hooks/index.ts b/x-pack/plugins/fleet/public/applications/integrations/hooks/index.ts index 9c907436af6e3..46ddeb809980f 100644 --- a/x-pack/plugins/fleet/public/applications/integrations/hooks/index.ts +++ b/x-pack/plugins/fleet/public/applications/integrations/hooks/index.ts @@ -11,3 +11,4 @@ export * from './use_links'; export * from './use_local_search'; export * from './use_package_install'; export * from './use_agent_policy_context'; +export * from './use_integrations_state'; diff --git a/x-pack/plugins/fleet/public/applications/integrations/hooks/use_integrations_state.tsx b/x-pack/plugins/fleet/public/applications/integrations/hooks/use_integrations_state.tsx new file mode 100644 index 0000000000000..e2b4a3ba1fa1b --- /dev/null +++ b/x-pack/plugins/fleet/public/applications/integrations/hooks/use_integrations_state.tsx @@ -0,0 +1,44 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { FunctionComponent } from 'react'; +import React, { createContext, useContext, useRef, useCallback } from 'react'; + +import type { IntegrationsAppBrowseRouteState } from '../../../types'; +import { useIntraAppState } from '../../../hooks'; + +interface IntegrationsStateContextValue { + getFromIntegrations(): string | undefined; +} + +const IntegrationsStateContext = createContext({ + getFromIntegrations: () => undefined, +}); + +export const IntegrationsStateContextProvider: FunctionComponent = ({ children }) => { + const maybeState = useIntraAppState(); + const fromIntegrationsRef = useRef(maybeState?.fromIntegrations); + + const getFromIntegrations = useCallback(() => { + return fromIntegrationsRef.current; + }, []); + return ( + + {children} + + ); +}; + +export const useIntegrationsStateContext = () => { + const ctx = useContext(IntegrationsStateContext); + if (!ctx) { + throw new Error( + 'useIntegrationsStateContext can only be used inside of IntegrationsStateContextProvider' + ); + } + return ctx; +}; diff --git a/x-pack/plugins/fleet/public/applications/integrations/sections/epm/components/package_card.test.tsx b/x-pack/plugins/fleet/public/applications/integrations/sections/epm/components/package_card.test.tsx new file mode 100644 index 0000000000000..0b1dbd6daef87 --- /dev/null +++ b/x-pack/plugins/fleet/public/applications/integrations/sections/epm/components/package_card.test.tsx @@ -0,0 +1,101 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; +import { fireEvent, act } from '@testing-library/react'; + +import { createFleetTestRendererMock } from '../../../../../mock'; + +import { useStartServices } from '../../../hooks'; + +import type { PackageCardProps } from './package_card'; +import { PackageCard } from './package_card'; + +jest.mock('../../../hooks', () => { + return { + ...jest.requireActual('../../../hooks'), + useStartServices: jest.fn().mockReturnValue({ + application: { + navigateToApp: jest.fn(), + navigateToUrl: jest.fn(), + }, + }), + }; +}); + +function renderPackageCard(props: PackageCardProps) { + const renderer = createFleetTestRendererMock(); + + const utils = renderer.render(); + + return { utils }; +} + +describe('package card', () => { + let mockNavigateToApp: jest.Mock; + let mockNavigateToUrl: jest.Mock; + + beforeEach(() => { + mockNavigateToApp = useStartServices().application.navigateToApp as jest.Mock; + mockNavigateToUrl = useStartServices().application.navigateToUrl as jest.Mock; + }); + + it('should navigate with state when integrations card', async () => { + const { utils } = renderPackageCard({ + id: 'card-1', + url: '/app/integrations/detail/apache-1.0/overview', + fromIntegrations: 'installed', + title: 'System', + description: 'System', + } as PackageCardProps); + + await act(async () => { + const el = utils.getByRole('button'); + fireEvent.click(el!, {}); + }); + expect(mockNavigateToApp).toHaveBeenCalledWith('integrations', { + path: '/detail/apache-1.0/overview', + state: { fromIntegrations: 'installed' }, + }); + }); + + it('should navigate with url when enterprise search card', async () => { + const { utils } = renderPackageCard({ + id: 'card-1', + url: '/app/enterprise_search/workplace_search/setup_guide', + fromIntegrations: 'installed', + title: 'System', + description: 'System', + } as PackageCardProps); + + await act(async () => { + const el = utils.getByRole('button'); + fireEvent.click(el!, {}); + }); + expect(mockNavigateToUrl).toHaveBeenCalledWith( + '/app/enterprise_search/workplace_search/setup_guide' + ); + }); + + it('should navigate with window open when external url', async () => { + window.open = jest.fn(); + + const { utils } = renderPackageCard({ + id: 'card-1', + url: 'https://google.com', + fromIntegrations: 'installed', + title: 'System', + description: 'System', + } as PackageCardProps); + + await act(async () => { + const el = utils.getByRole('button'); + fireEvent.click(el!, {}); + }); + expect(window.open).toHaveBeenCalledWith('https://google.com', '_blank'); + }); +}); diff --git a/x-pack/plugins/fleet/public/applications/integrations/sections/epm/components/package_card.tsx b/x-pack/plugins/fleet/public/applications/integrations/sections/epm/components/package_card.tsx index a97a9ec8c1c24..53d6312a20773 100644 --- a/x-pack/plugins/fleet/public/applications/integrations/sections/epm/components/package_card.tsx +++ b/x-pack/plugins/fleet/public/applications/integrations/sections/epm/components/package_card.tsx @@ -14,6 +14,9 @@ import { TrackApplicationView } from '@kbn/usage-collection-plugin/public'; import { CardIcon } from '../../../../../components/package_icon'; import type { IntegrationCardItem } from '../../../../../../common/types/models/epm'; +import { useStartServices } from '../../../hooks'; +import { INTEGRATIONS_BASE_PATH, INTEGRATIONS_PLUGIN_ID } from '../../../constants'; + import { RELEASE_BADGE_DESCRIPTION, RELEASE_BADGE_LABEL } from './release_badge'; export type PackageCardProps = IntegrationCardItem; @@ -34,6 +37,7 @@ export function PackageCard({ url, release, id, + fromIntegrations, }: PackageCardProps) { let releaseBadge: React.ReactNode | null = null; @@ -50,6 +54,21 @@ export function PackageCard({ ); } + const { application } = useStartServices(); + + const onCardClick = () => { + if (url.startsWith(INTEGRATIONS_BASE_PATH)) { + application.navigateToApp(INTEGRATIONS_PLUGIN_ID, { + path: url.slice(INTEGRATIONS_BASE_PATH.length), + state: { fromIntegrations }, + }); + } else if (url.startsWith('http') || url.startsWith('https')) { + window.open(url, '_blank'); + } else { + application.navigateToUrl(url); + } + }; + const testid = `integration-card:${id}`; return ( @@ -69,8 +88,7 @@ export function PackageCard({ size="xl" /> } - href={url} - target={url.startsWith('http') || url.startsWith('https') ? '_blank' : undefined} + onClick={onCardClick} > {releaseBadge} diff --git a/x-pack/plugins/fleet/public/applications/integrations/sections/epm/index.tsx b/x-pack/plugins/fleet/public/applications/integrations/sections/epm/index.tsx index 07fd657a01708..b21c790edd0f3 100644 --- a/x-pack/plugins/fleet/public/applications/integrations/sections/epm/index.tsx +++ b/x-pack/plugins/fleet/public/applications/integrations/sections/epm/index.tsx @@ -9,7 +9,7 @@ import React from 'react'; import { Switch, Route } from 'react-router-dom'; import { INTEGRATIONS_ROUTING_PATHS } from '../../constants'; -import { useBreadcrumbs } from '../../hooks'; +import { IntegrationsStateContextProvider, useBreadcrumbs } from '../../hooks'; import { EPMHomePage } from './screens/home'; import { Detail } from './screens/detail'; @@ -24,7 +24,9 @@ export const EPMApp: React.FunctionComponent = () => { - + + + diff --git a/x-pack/plugins/fleet/public/applications/integrations/sections/epm/screens/detail/index.tsx b/x-pack/plugins/fleet/public/applications/integrations/sections/epm/screens/detail/index.tsx index 9cb1599a3a8c6..45d11730adba9 100644 --- a/x-pack/plugins/fleet/public/applications/integrations/sections/epm/screens/detail/index.tsx +++ b/x-pack/plugins/fleet/public/applications/integrations/sections/epm/screens/detail/index.tsx @@ -34,6 +34,7 @@ import { useStartServices, useAuthz, usePermissionCheck, + useIntegrationsStateContext, } from '../../../../hooks'; import { INTEGRATIONS_ROUTING_PATHS } from '../../../../constants'; import { ExperimentalFeaturesService } from '../../../../services'; @@ -94,6 +95,7 @@ function Breadcrumbs({ packageTitle }: { packageTitle: string }) { export function Detail() { const { getId: getAgentPolicyId } = useAgentPolicyContext(); + const { getFromIntegrations } = useIntegrationsStateContext(); const { pkgkey, panel } = useParams(); const { getHref } = useLink(); const canInstallPackages = useAuthz().integrations.installPackages; @@ -195,21 +197,25 @@ export function Detail() { [integration, packageInfo] ); + const fromIntegrations = getFromIntegrations(); + + const href = + fromIntegrations === 'updates_available' + ? getHref('integrations_installed_updates_available') + : fromIntegrations === 'installed' + ? getHref('integrations_installed') + : getHref('integrations_all'); + const headerLeftContent = useMemo( () => ( {/* Allows button to break out of full width */}
- +
@@ -261,7 +267,7 @@ export function Detail() { ), - [getHref, integrationInfo, isLoading, packageInfo] + [integrationInfo, isLoading, packageInfo, href] ); const handleAddIntegrationPolicyClick = useCallback( diff --git a/x-pack/plugins/fleet/public/applications/integrations/sections/epm/screens/detail/settings/update_button.tsx b/x-pack/plugins/fleet/public/applications/integrations/sections/epm/screens/detail/settings/update_button.tsx index 798c5ce43e50b..cc11dd6819695 100644 --- a/x-pack/plugins/fleet/public/applications/integrations/sections/epm/screens/detail/settings/update_button.tsx +++ b/x-pack/plugins/fleet/public/applications/integrations/sections/epm/screens/detail/settings/update_button.tsx @@ -144,6 +144,16 @@ export const UpdateButton: React.FunctionComponent = ({ }, []); const navigateToNewSettingsPage = useCallback(() => { + // only navigate if still on old settings page (user has not navigated away) + if ( + !history.location.pathname.match( + getPath('integration_details_settings', { + pkgkey: `${name}-.*`, + }) + ) + ) { + return; + } const settingsPath = getPath('integration_details_settings', { pkgkey: `${name}-${version}`, }); diff --git a/x-pack/plugins/fleet/public/applications/integrations/sections/epm/screens/home/index.tsx b/x-pack/plugins/fleet/public/applications/integrations/sections/epm/screens/home/index.tsx index 0898f099e3e8c..2ddc78218466a 100644 --- a/x-pack/plugins/fleet/public/applications/integrations/sections/epm/screens/home/index.tsx +++ b/x-pack/plugins/fleet/public/applications/integrations/sections/epm/screens/home/index.tsx @@ -46,7 +46,8 @@ export const categoryExists = (category: string, categories: CategoryFacet[]) => export const mapToCard = ( getAbsolutePath: (p: string) => string, getHref: (page: StaticPage | DynamicPage, values?: DynamicPagePathValues) => string, - item: CustomIntegration | PackageListItem + item: CustomIntegration | PackageListItem, + selectedCategory?: string ): IntegrationCardItem => { let uiInternalPathUrl; @@ -80,6 +81,7 @@ export const mapToCard = ( icons: !item.icons || !item.icons.length ? [] : item.icons, title: item.title, url: uiInternalPathUrl, + fromIntegrations: selectedCategory, integration: 'integration' in item ? item.integration || '' : '', name: 'name' in item ? item.name || '' : '', version: 'version' in item ? item.version || '' : '', diff --git a/x-pack/plugins/fleet/public/applications/integrations/sections/epm/screens/home/installed_packages.tsx b/x-pack/plugins/fleet/public/applications/integrations/sections/epm/screens/home/installed_packages.tsx index 964994c250aa0..19de166cebc16 100644 --- a/x-pack/plugins/fleet/public/applications/integrations/sections/epm/screens/home/installed_packages.tsx +++ b/x-pack/plugins/fleet/public/applications/integrations/sections/epm/screens/home/installed_packages.tsx @@ -143,7 +143,7 @@ export const InstalledPackages: React.FC = memo(() => { const cards = ( selectedCategory === 'updates_available' ? updatablePackages : allInstalledPackages - ).map((item) => mapToCard(getAbsolutePath, getHref, item)); + ).map((item) => mapToCard(getAbsolutePath, getHref, item, selectedCategory || 'installed')); const callout = selectedCategory === 'updates_available' ? null : ; diff --git a/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/confirm_agent_enrollment.tsx b/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/confirm_agent_enrollment.tsx index 63292713daa93..173bb2ba0f14a 100644 --- a/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/confirm_agent_enrollment.tsx +++ b/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/confirm_agent_enrollment.tsx @@ -5,8 +5,15 @@ * 2.0. */ -import React, { useEffect, useRef, useState } from 'react'; -import { EuiCallOut, EuiButton, EuiText, EuiLink } from '@elastic/eui'; +import React, { useEffect, useRef, useState, useCallback } from 'react'; +import { + EuiCallOut, + EuiButton, + EuiText, + EuiLink, + EuiLoadingSpinner, + EuiSpacer, +} from '@elastic/eui'; import { FormattedMessage } from '@kbn/i18n-react'; import { i18n } from '@kbn/i18n'; @@ -17,6 +24,12 @@ interface Props { troubleshootLink: string; onClickViewAgents?: () => void; agentCount: number; + showLoading?: boolean; +} + +interface UsePollingAgentCountOptions { + noLowerTimeLimit?: boolean; + pollImmediately?: boolean; } const POLLING_INTERVAL_MS = 5 * 1000; // 5 sec @@ -27,25 +40,40 @@ const POLLING_INTERVAL_MS = 5 * 1000; // 5 sec * @param policyId * @returns agentIds */ -export const usePollingAgentCount = (policyId: string) => { +export const usePollingAgentCount = (policyId: string, opts?: UsePollingAgentCountOptions) => { const [agentIds, setAgentIds] = useState([]); - + const [didPollInitially, setDidPollInitially] = useState(false); const timeout = useRef(undefined); + const lowerTimeLimitKuery = opts?.noLowerTimeLimit + ? '' + : `and ${AGENTS_PREFIX}.enrolled_at >= now-10m`; + const kuery = `${AGENTS_PREFIX}.policy_id:"${policyId}" and not (_exists_:"${AGENTS_PREFIX}.unenrolled_at") ${lowerTimeLimitKuery}`; + + const getNewAgentIds = useCallback(async () => { + const request = await sendGetAgents({ + kuery, + showInactive: false, + }); + + const newAgentIds = request.data?.items.map((i) => i.id) ?? agentIds; + if (newAgentIds.some((id) => !agentIds.includes(id))) { + setAgentIds(newAgentIds); + } + }, [agentIds, kuery]); + + // optionally poll once on first render + if (!didPollInitially && opts?.pollImmediately) { + getNewAgentIds(); + setDidPollInitially(true); + } + useEffect(() => { let isAborted = false; const poll = () => { timeout.current = window.setTimeout(async () => { - const request = await sendGetAgents({ - kuery: `${AGENTS_PREFIX}.policy_id:"${policyId}" and ${AGENTS_PREFIX}.enrolled_at >= now-10m`, - showInactive: false, - }); - - const newAgentIds = request.data?.items.map((i) => i.id) ?? agentIds; - if (newAgentIds.some((id) => !agentIds.includes(id))) { - setAgentIds(newAgentIds); - } + getNewAgentIds(); if (!isAborted) { poll(); } @@ -59,7 +87,7 @@ export const usePollingAgentCount = (policyId: string) => { return () => { isAborted = true; }; - }, [agentIds, policyId]); + }, [agentIds, policyId, kuery, getNewAgentIds]); return agentIds; }; @@ -68,9 +96,19 @@ export const ConfirmAgentEnrollment: React.FunctionComponent = ({ troubleshootLink, onClickViewAgents, agentCount, + showLoading = false, }) => { const { getHref } = useLink(); const { application } = useStartServices(); + const showViewAgents = !!onClickViewAgents; + const TroubleshootLink = () => ( + + + + ); const onButtonClick = () => { if (onClickViewAgents) onClickViewAgents(); @@ -78,7 +116,7 @@ export const ConfirmAgentEnrollment: React.FunctionComponent = ({ application.navigateToUrl(href); }; - if (!policyId || agentCount === 0) { + if (!policyId || (agentCount === 0 && !showLoading)) { return ( = ({ id="xpack.fleet.enrollmentInstructions.troubleshootingText" defaultMessage="If you are having trouble connecting, see our {link}." values={{ - link: ( - - - - ), + link: , }} /> ); } + if (showLoading && !agentCount) { + return ( + <> + + } + /> + + + , + }} + /> + + + ); + } + return ( = ({ color="success" iconType="check" > - - {i18n.translate('xpack.fleet.agentEnrollment.confirmation.button', { - defaultMessage: 'View enrolled agents', - })} - + {showViewAgents && ( + + {i18n.translate('xpack.fleet.agentEnrollment.confirmation.button', { + defaultMessage: 'View enrolled agents', + })} + + )} ); }; diff --git a/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/confirm_incoming_data.tsx b/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/confirm_incoming_data.tsx index 021acfbb17644..145811126691a 100644 --- a/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/confirm_incoming_data.tsx +++ b/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/confirm_incoming_data.tsx @@ -38,6 +38,7 @@ export const ConfirmIncomingData: React.FunctionComponent = ({ if (!isLoading && enrolledAgents > 0 && numAgentsWithData > 0) { setAgentDataConfirmed(true); } + if (!agentDataConfirmed) { return ( diff --git a/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/installation_message.tsx b/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/installation_message.tsx index 48531ef166714..1b3002be9183f 100644 --- a/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/installation_message.tsx +++ b/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/installation_message.tsx @@ -18,9 +18,13 @@ import type { K8sMode } from './types'; interface Props { isK8s?: K8sMode; + isManaged?: boolean; } -export const InstallationMessage: React.FunctionComponent = ({ isK8s }) => { +export const InstallationMessage: React.FunctionComponent = ({ + isK8s, + isManaged = true, +}) => { const { docLinks } = useStartServices(); const kibanaVersion = useKibanaVersion(); const kibanaVersionURLString = useMemo( @@ -55,7 +59,15 @@ export const InstallationMessage: React.FunctionComponent = ({ isK8s }) = ), installationLink: ( - + { mode, setMode, isIntegrationFlow, + refreshAgentPolicies, } = props; const fleetStatus = useFleetStatus(); const { isUnhealthy: isFleetServerUnhealthy } = useFleetServerUnhealthy(); + useEffect(() => { + refreshAgentPolicies(); + }, [refreshAgentPolicies]); + const fleetServerAgentPolicies: string[] = useMemo( () => agentPolicies.filter((pol) => policyHasFleetServer(pol)).map((pol) => pol.id), [agentPolicies] diff --git a/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/steps/agent_enrollment_confirmation_step.tsx b/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/steps/agent_enrollment_confirmation_step.tsx index 13fb858739e7d..8736e0bf31bc4 100644 --- a/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/steps/agent_enrollment_confirmation_step.tsx +++ b/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/steps/agent_enrollment_confirmation_step.tsx @@ -11,31 +11,70 @@ import { i18n } from '@kbn/i18n'; import type { EuiContainedStepProps } from '@elastic/eui/src/components/steps/steps'; +import { FormattedMessage } from '@kbn/i18n-react'; +import { EuiLink, EuiText } from '@elastic/eui'; + import { ConfirmAgentEnrollment } from '../confirm_agent_enrollment'; +const AgentEnrollmentPrePollInstructions: React.FC<{ troubleshootLink: string }> = ({ + troubleshootLink, +}) => { + return ( + + + + + ), + }} + /> + + ); +}; + export const AgentEnrollmentConfirmationStep = ({ selectedPolicyId, troubleshootLink, onClickViewAgents, agentCount, + showLoading, + poll = true, }: { selectedPolicyId?: string; troubleshootLink: string; - onClickViewAgents: () => void; + onClickViewAgents?: () => void; agentCount: number; + poll?: boolean; + showLoading?: boolean; }): EuiContainedStepProps => { + const isComplete = !!agentCount; return { - title: i18n.translate('xpack.fleet.agentEnrollment.stepAgentEnrollmentConfirmation', { - defaultMessage: 'Confirm agent enrollment', - }), - children: ( - - ), - status: !agentCount ? undefined : 'complete', + title: isComplete + ? i18n.translate('xpack.fleet.agentEnrollment.stepAgentEnrollmentConfirmationComplete', { + defaultMessage: 'Agent enrollment confirmed', + }) + : i18n.translate('xpack.fleet.agentEnrollment.stepAgentEnrollmentConfirmation', { + defaultMessage: 'Confirm agent enrollment', + }), + children: + !!isComplete || poll ? ( + + ) : ( + + ), + status: !isComplete ? 'incomplete' : 'complete', }; }; diff --git a/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/steps/configure_standalone_agent_step.tsx b/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/steps/configure_standalone_agent_step.tsx index 39a7943ac0e32..decee6601329a 100644 --- a/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/steps/configure_standalone_agent_step.tsx +++ b/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/steps/configure_standalone_agent_step.tsx @@ -28,11 +28,15 @@ export const ConfigureStandaloneAgentStep = ({ selectedPolicyId, yaml, downloadLink, + isComplete, + onCopy, }: { isK8s?: K8sMode; selectedPolicyId?: string; yaml: string; downloadLink: string; + isComplete?: boolean; + onCopy?: () => void; }): EuiContainedStepProps => { const policyMsg = isK8s === 'IS_KUBERNETES' ? ( @@ -83,7 +87,13 @@ export const ConfigureStandaloneAgentStep = ({ {(copy) => ( - + { + copy(); + if (onCopy) onCopy(); + }} + iconType="copyClipboard" + > ), - status: !yaml ? 'loading' : undefined, + status: !yaml ? 'loading' : isComplete ? 'complete' : undefined, }; }; diff --git a/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/steps/install_managed_agent_step.tsx b/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/steps/install_managed_agent_step.tsx index bbb3d8d4794c3..a6a91ed54ea95 100644 --- a/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/steps/install_managed_agent_step.tsx +++ b/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/steps/install_managed_agent_step.tsx @@ -23,19 +23,32 @@ export const InstallManagedAgentStep = ({ selectedApiKeyId, apiKeyData, isK8s, + isComplete, + fullCopyButton, + onCopy, }: { selectedApiKeyId?: string; apiKeyData?: GetOneEnrollmentAPIKeyResponse | null; isK8s?: K8sMode; installCommand: CommandsByPlatform; + isComplete?: boolean; + fullCopyButton?: boolean; + onCopy?: () => void; }): EuiContainedStepProps => { + const nonCompleteStatus = selectedApiKeyId ? undefined : 'disabled'; + const status = isComplete ? 'complete' : nonCompleteStatus; return { - status: selectedApiKeyId ? undefined : 'disabled', + status, title: i18n.translate('xpack.fleet.agentEnrollment.stepEnrollAndRunAgentTitle', { defaultMessage: 'Install Elastic Agent on your host', }), children: selectedApiKeyId && apiKeyData && ( - + ), }; }; diff --git a/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/steps/install_standalone_agent_step.tsx b/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/steps/install_standalone_agent_step.tsx index 74ce555f7c2e8..e972e5a99a1e2 100644 --- a/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/steps/install_standalone_agent_step.tsx +++ b/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/steps/install_standalone_agent_step.tsx @@ -19,14 +19,29 @@ import type { K8sMode } from '../types'; export const InstallStandaloneAgentStep = ({ installCommand, isK8s, + isComplete, + fullCopyButton, + onCopy, }: { installCommand: CommandsByPlatform; isK8s?: K8sMode; + isComplete?: boolean; + fullCopyButton?: boolean; + onCopy?: () => void; }): EuiContainedStepProps => { return { title: i18n.translate('xpack.fleet.agentEnrollment.stepEnrollAndRunAgentTitle', { defaultMessage: 'Install Elastic Agent on your host', }), - children: , + children: ( + + ), + status: isComplete ? 'complete' : undefined, }; }; diff --git a/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/use_get_agent_incoming_data.tsx b/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/use_get_agent_incoming_data.tsx index 6422d1bc40acc..d18689f4c0bd5 100644 --- a/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/use_get_agent_incoming_data.tsx +++ b/x-pack/plugins/fleet/public/components/agent_enrollment_flyout/use_get_agent_incoming_data.tsx @@ -7,6 +7,8 @@ import { useEffect, useState, useMemo, useRef } from 'react'; import { i18n } from '@kbn/i18n'; +import type { SearchHit } from '@kbn/core/types/elasticsearch'; + import type { IncomingDataList } from '../../../common/types/rest_spec/agent'; import { sendGetAgentIncomingData, useLink } from '../../hooks'; @@ -72,37 +74,66 @@ export const useGetAgentIncomingData = ( }; }; +const POLLING_INTERVAL_MS = 5 * 1000; // 5 sec +const POLLING_TIMEOUT_MS = 5 * 60 * 1000; // 5 min + /** * Hook for polling incoming data for the selected agent policy. * @param agentIds * @returns incomingData, isLoading */ -const POLLING_INTERVAL_MS = 5 * 1000; // 5 sec - -export const usePollingIncomingData = (agentsIds: string[]) => { +export const usePollingIncomingData = ( + agentIds: string[], + previewData?: boolean, + stopPollingAfterPreviewLength: number = 0 +) => { const timeout = useRef(undefined); - const [incomingData, setIncomingData] = useState([]); + const [result, setResult] = useState<{ + incomingData: IncomingDataList[]; + dataPreview: SearchHit[]; + }>({ + incomingData: [], + dataPreview: [], + }); const [isLoading, setIsLoading] = useState(true); + const [hasReachedTimeout, setHasReachedTimeout] = useState(false); + + const startedPollingAt = useRef(); useEffect(() => { let isAborted = false; const poll = () => { timeout.current = window.setTimeout(async () => { - const { data } = await sendGetAgentIncomingData({ agentsIds }); + // On the first run, set an initial timestamp so we can track timeouts + if (!startedPollingAt.current) { + startedPollingAt.current = Date.now(); + } + // If we've been polling for more than 5 minutes, we consider the request "timed out", but + // don't actually stop polling. This flag just allows consumers of this hook to display an + // appropriate timeout UI as needed. + if (Date.now() - startedPollingAt.current > POLLING_TIMEOUT_MS) { + setHasReachedTimeout(true); + } + + const { data } = await sendGetAgentIncomingData({ agentsIds: agentIds, previewData }); if (data?.items) { - // filter out agents that have `data = false` and keep polling + // filter out agents that have `data = false` and keep polling const filtered = data?.items.filter((item) => { const key = Object.keys(item)[0]; return item[key].data === true; }); if (filtered.length > 0) { - setIncomingData(filtered); + setResult({ + incomingData: filtered, + dataPreview: data.dataPreview || [], + }); setIsLoading(false); } } + if (!isAborted) { poll(); } @@ -110,12 +141,23 @@ export const usePollingIncomingData = (agentsIds: string[]) => { }; poll(); - if (isAborted || incomingData.length > 0) clearTimeout(timeout.current); + + const previewLengthReached = result.dataPreview.length >= stopPollingAfterPreviewLength; + const incomingDataReceived = result.incomingData.length > 0; + const dataReceived = previewData ? previewLengthReached : incomingDataReceived; + + if (isAborted || dataReceived) { + clearTimeout(timeout.current); + } return () => { isAborted = true; }; - }, [agentsIds, incomingData]); + }, [agentIds, result, previewData, stopPollingAfterPreviewLength, startedPollingAt]); - return { incomingData, isLoading }; + return { + ...result, + isLoading, + hasReachedTimeout, + }; }; diff --git a/x-pack/plugins/fleet/public/components/enrollment_instructions/install_section.tsx b/x-pack/plugins/fleet/public/components/enrollment_instructions/install_section.tsx index 1ebe68b8c5282..856c89721c3b5 100644 --- a/x-pack/plugins/fleet/public/components/enrollment_instructions/install_section.tsx +++ b/x-pack/plugins/fleet/public/components/enrollment_instructions/install_section.tsx @@ -17,13 +17,24 @@ import { PlatformSelector } from '../platform_selector'; interface Props { installCommand: CommandsByPlatform; isK8s: K8sMode | undefined; + fullCopyButton?: boolean; + isManaged?: boolean; + onCopy?: () => void; } -export const InstallSection: React.FunctionComponent = ({ installCommand, isK8s }) => { +export const InstallSection: React.FunctionComponent = ({ + installCommand, + isK8s, + fullCopyButton = false, + isManaged = true, + onCopy, +}) => { return ( <> - + void; } // Otherwise the copy button is over the text @@ -36,8 +46,11 @@ export const PlatformSelector: React.FunctionComponent = ({ linuxDebCommand, linuxRpmCommand, isK8s, + fullCopyButton, + onCopy, }) => { const { platform, setPlatform } = usePlatform(); + const [copyButtonClicked, setCopyButtonClicked] = useState(false); const systemPackageCallout = ( = ({ deb: linuxDebCommand, rpm: linuxRpmCommand, }; + const onTextAreaClick = () => { + if (onCopy) onCopy(); + }; + const onCopyButtonClick = (copy: () => void) => { + copy(); + setCopyButtonClicked(true); + if (onCopy) onCopy(); + }; return ( <> {isK8s ? ( - + {K8S_COMMAND} ) : ( @@ -81,9 +102,11 @@ export const PlatformSelector: React.FunctionComponent = ({ )} + = ({ > {commandsByPlatform[platform]} + + {fullCopyButton && ( + + {(copy) => ( + onCopyButtonClick(copy)} + > + {copyButtonClicked ? ( + + ) : ( + + )} + + )} + + )} )} diff --git a/x-pack/plugins/fleet/public/constants/page_paths.ts b/x-pack/plugins/fleet/public/constants/page_paths.ts index a87c9fe9e0869..26db09d68f41d 100644 --- a/x-pack/plugins/fleet/public/constants/page_paths.ts +++ b/x-pack/plugins/fleet/public/constants/page_paths.ts @@ -22,6 +22,7 @@ export type StaticPage = export type DynamicPage = | 'integrations_all' | 'integrations_installed' + | 'integrations_installed_updates_available' | 'integration_details_overview' | 'integration_details_policies' | 'integration_details_assets' @@ -76,6 +77,7 @@ export const INTEGRATIONS_ROUTING_PATHS = { integrations: '/:tabId', integrations_all: '/browse/:category?', integrations_installed: '/installed/:category?', + integrations_installed_updates_available: '/installed/updates_available/:category?', integration_details: '/detail/:pkgkey/:panel?', integration_details_overview: '/detail/:pkgkey/overview', integration_details_policies: '/detail/:pkgkey/policies', @@ -104,6 +106,17 @@ export const pagePathGetters: { const queryParams = query ? `?${INTEGRATIONS_SEARCH_QUERYPARAM}=${query}` : ``; return [INTEGRATIONS_BASE_PATH, `/installed${categoryPath}${queryParams}`]; }, + integrations_installed_updates_available: ({ + query, + category, + }: { + query?: string; + category?: string; + }) => { + const categoryPath = category ? `/${category}` : ``; + const queryParams = query ? `?${INTEGRATIONS_SEARCH_QUERYPARAM}=${query}` : ``; + return [INTEGRATIONS_BASE_PATH, `/installed/updates_available${categoryPath}${queryParams}`]; + }, integration_details_overview: ({ pkgkey, integration }) => [ INTEGRATIONS_BASE_PATH, `/detail/${pkgkey}/overview${integration ? `?integration=${integration}` : ''}`, diff --git a/x-pack/plugins/fleet/public/plugin.ts b/x-pack/plugins/fleet/public/plugin.ts index 34fa9d2cbcfc8..90aa776261eef 100644 --- a/x-pack/plugins/fleet/public/plugin.ts +++ b/x-pack/plugins/fleet/public/plugin.ts @@ -27,9 +27,8 @@ import type { SharePluginStart } from '@kbn/share-plugin/public'; import { once } from 'lodash'; import type { SpacesPluginStart } from '@kbn/spaces-plugin/public'; - +import type { DiscoverStart } from '@kbn/discover-plugin/public'; import type { CloudStart } from '@kbn/cloud-plugin/public'; - import type { UsageCollectionSetup } from '@kbn/usage-collection-plugin/public'; import { DEFAULT_APP_CATEGORIES, AppNavLinkStatus } from '@kbn/core/public'; @@ -112,6 +111,7 @@ export interface FleetStartServices extends CoreStart, Exclude { ); expect(fleetServerPackagePolicy?.attributes.vars).toMatchInlineSnapshot(`undefined`); expect(fleetServerPackagePolicy?.attributes.inputs).toMatchInlineSnapshot(` - Array [ - Object { - "compiled_input": Object { - "server": Object { - "host": "0.0.0.0", - "port": 8220, - }, - "server.runtime": Object { - "gc_percent": 20, - }, - }, - "enabled": true, - "keep_enabled": true, - "policy_template": "fleet_server", - "streams": Array [], - "type": "fleet-server", - "vars": Object { - "custom": Object { - "type": "yaml", - "value": "server.runtime: - gc_percent: 20 # Force the GC to execute more frequently: see https://golang.org/pkg/runtime/debug/#SetGCPercent - ", - }, - "host": Object { - "frozen": true, - "type": "text", - "value": "0.0.0.0", - }, - "max_connections": Object { - "type": "integer", + Array [ + Object { + "compiled_input": Object { + "server": Object { + "host": "0.0.0.0", + "port": 8220, + }, + "server.runtime": Object { + "gc_percent": 20, + }, }, - "port": Object { - "frozen": true, - "type": "integer", - "value": 8220, + "enabled": true, + "keep_enabled": true, + "policy_template": "fleet_server", + "streams": Array [], + "type": "fleet-server", + "vars": Object { + "custom": Object { + "type": "yaml", + "value": "server.runtime: + gc_percent: 20 # Force the GC to execute more frequently: see https://golang.org/pkg/runtime/debug/#SetGCPercent + ", + }, + "host": Object { + "frozen": true, + "type": "text", + "value": "0.0.0.0", + }, + "max_agents": Object { + "type": "integer", + }, + "max_connections": Object { + "type": "integer", + }, + "port": Object { + "frozen": true, + "type": "integer", + "value": 8220, + }, }, }, - }, - ] - `); + ] + `); }); }); describe('Adding APM to a preconfigured agent policy after first setup', () => { diff --git a/x-pack/plugins/fleet/server/integration_tests/helpers/docker_registry_helper.ts b/x-pack/plugins/fleet/server/integration_tests/helpers/docker_registry_helper.ts index 622cc8d147273..f400becfa0085 100644 --- a/x-pack/plugins/fleet/server/integration_tests/helpers/docker_registry_helper.ts +++ b/x-pack/plugins/fleet/server/integration_tests/helpers/docker_registry_helper.ts @@ -24,7 +24,7 @@ export function useDockerRegistry() { let dockerProcess: ChildProcess | undefined; async function startDockerRegistryServer() { - const dockerImage = `docker.elastic.co/package-registry/distribution:e1a3906e0c9944ecade05308022ba35eb0ebd00a`; + const dockerImage = `docker.elastic.co/package-registry/distribution:93ffe45d8c4ae11365bc70b1038643121049b9fe`; const args = ['run', '--rm', '-p', `${packageRegistryPort}:8080`, dockerImage]; diff --git a/x-pack/plugins/fleet/server/routes/agent/handlers.ts b/x-pack/plugins/fleet/server/routes/agent/handlers.ts index b9e82e844e81b..15d842951e6c4 100644 --- a/x-pack/plugins/fleet/server/routes/agent/handlers.ts +++ b/x-pack/plugins/fleet/server/routes/agent/handlers.ts @@ -234,15 +234,18 @@ export const getAgentDataHandler: RequestHandler< const coreContext = await context.core; const esClient = coreContext.elasticsearch.client.asCurrentUser; try { - let items; + const returnDataPreview = request.query.previewData; + const agentIds = isStringArray(request.query.agentsIds) + ? request.query.agentsIds + : [request.query.agentsIds]; - if (isStringArray(request.query.agentsIds)) { - items = await AgentService.getIncomingDataByAgentsId(esClient, request.query.agentsIds); - } else { - items = await AgentService.getIncomingDataByAgentsId(esClient, [request.query.agentsIds]); - } + const { items, dataPreview } = await AgentService.getIncomingDataByAgentsId( + esClient, + agentIds, + returnDataPreview + ); - const body = { items }; + const body = { items, dataPreview }; return response.ok({ body }); } catch (error) { diff --git a/x-pack/plugins/fleet/server/routes/agent/upgrade_handler.ts b/x-pack/plugins/fleet/server/routes/agent/upgrade_handler.ts index 8ec5b79811a2a..17ac6772ee623 100644 --- a/x-pack/plugins/fleet/server/routes/agent/upgrade_handler.ts +++ b/x-pack/plugins/fleet/server/routes/agent/upgrade_handler.ts @@ -21,7 +21,7 @@ import * as AgentService from '../../services/agents'; import { appContextService } from '../../services'; import { defaultIngestErrorHandler } from '../../errors'; import { isAgentUpgradeable } from '../../../common/services'; -import { getMaxVersion } from '../../../common/services/get_max_version'; +import { getMaxVersion } from '../../../common/services/get_min_max_version'; import { getAgentById } from '../../services/agents'; import type { Agent } from '../../types'; @@ -57,7 +57,7 @@ export const postAgentUpgradeHandler: RequestHandler< }, }); } - if (!force && !isAgentUpgradeable(agent, kibanaVersion)) { + if (!force && !isAgentUpgradeable(agent, kibanaVersion, version)) { return response.customError({ statusCode: 400, body: { @@ -181,6 +181,10 @@ const checkFleetServerVersion = (versionToUpgradeNumber: string, fleetServerAgen const maxFleetServerVersion = getMaxVersion(fleetServerVersions); + if (!maxFleetServerVersion) { + return; + } + if (semverGt(versionToUpgradeNumber, maxFleetServerVersion)) { throw new Error( `cannot upgrade agent to ${versionToUpgradeNumber} because it is higher than the latest fleet server version ${maxFleetServerVersion}` diff --git a/x-pack/plugins/fleet/server/services/agents/status.ts b/x-pack/plugins/fleet/server/services/agents/status.ts index 15a43c6ac3999..c86e6e1df274f 100644 --- a/x-pack/plugins/fleet/server/services/agents/status.ts +++ b/x-pack/plugins/fleet/server/services/agents/status.ts @@ -19,7 +19,7 @@ import { FleetUnauthorizedError } from '../../errors'; import { getAgentById, getAgentsByKuery, removeSOAttributes } from './crud'; const DATA_STREAM_INDEX_PATTERN = 'logs-*-*,metrics-*-*,traces-*-*,synthetics-*-*'; - +const MAX_AGENT_DATA_PREVIEW_SIZE = 20; export async function getAgentStatusById( esClient: ElasticsearchClient, agentId: string @@ -97,7 +97,8 @@ export async function getAgentStatusForAgentPolicy( } export async function getIncomingDataByAgentsId( esClient: ElasticsearchClient, - agentsIds: string[] + agentsIds: string[], + returnDataPreview: boolean = false ) { try { const { has_all_requested: hasAllPrivileges } = await esClient.security.hasPrivileges({ @@ -117,9 +118,9 @@ export async function getIncomingDataByAgentsId( const searchResult = await esClient.search({ index: DATA_STREAM_INDEX_PATTERN, allow_partial_search_results: true, - _source: false, + _source: returnDataPreview, timeout: '5s', - size: 0, + size: returnDataPreview ? MAX_AGENT_DATA_PREVIEW_SIZE : 0, body: { query: { bool: { @@ -152,9 +153,12 @@ export async function getIncomingDataByAgentsId( }); if (!searchResult.aggregations?.agent_ids) { - return agentsIds.map((id) => { - return { [id]: { data: false } }; - }); + return { + items: agentsIds.map((id) => { + return { items: { [id]: { data: false } } }; + }), + data: [], + }; } // @ts-expect-error aggregation type is not specified @@ -162,9 +166,13 @@ export async function getIncomingDataByAgentsId( (bucket: any) => bucket.key as string ); - return agentsIds.map((id) => + const dataPreview = searchResult.hits?.hits || []; + + const items = agentsIds.map((id) => agentIdsWithData.includes(id) ? { [id]: { data: true } } : { [id]: { data: false } } ); + + return { items, dataPreview }; } catch (e) { throw new Error(e); } diff --git a/x-pack/plugins/fleet/server/services/agents/upgrade.ts b/x-pack/plugins/fleet/server/services/agents/upgrade.ts index 87007b9ce880a..78c208eb5ae8e 100644 --- a/x-pack/plugins/fleet/server/services/agents/upgrade.ts +++ b/x-pack/plugins/fleet/server/services/agents/upgrade.ts @@ -133,8 +133,9 @@ export async function sendUpgradeAgentsActions( const upgradeableResults = await Promise.allSettled( agentsToCheckUpgradeable.map(async (agent) => { // Filter out agents currently unenrolling, unenrolled, or not upgradeable b/c of version check - const isAllowed = options.force || isAgentUpgradeable(agent, kibanaVersion); - if (!isAllowed) { + const isNotAllowed = + !options.force && !isAgentUpgradeable(agent, kibanaVersion, options.version); + if (isNotAllowed) { throw new IngestManagerError(`${agent.id} is not upgradeable`); } diff --git a/x-pack/plugins/fleet/server/services/preconfiguration/reset_agent_policies.test.ts b/x-pack/plugins/fleet/server/services/preconfiguration/reset_agent_policies.test.ts new file mode 100644 index 0000000000000..9e16ad9b0b6b5 --- /dev/null +++ b/x-pack/plugins/fleet/server/services/preconfiguration/reset_agent_policies.test.ts @@ -0,0 +1,108 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { elasticsearchServiceMock, savedObjectsClientMock } from '@kbn/core/server/mocks'; + +import { agentPolicyService } from '../agent_policy'; +import { packagePolicyService } from '../package_policy'; +import { PRECONFIGURATION_DELETION_RECORD_SAVED_OBJECT_TYPE } from '../../constants'; +import { setupFleet } from '../setup'; +import { getAgentsByKuery, forceUnenrollAgent } from '../agents'; +import { listEnrollmentApiKeys, deleteEnrollmentApiKey } from '../api_keys'; + +import { resetPreconfiguredAgentPolicies } from './reset_agent_policies'; + +jest.mock('../agent_policy'); +jest.mock('../package_policy'); +jest.mock('../setup'); +jest.mock('../agents'); +jest.mock('../api_keys'); + +const mockedSetupFleet = setupFleet as jest.MockedFunction; +const mockedForceUnenrollAgent = forceUnenrollAgent as jest.MockedFunction< + typeof forceUnenrollAgent +>; +const mockedDeleteEnrollmentApiKey = deleteEnrollmentApiKey as jest.MockedFunction< + typeof deleteEnrollmentApiKey +>; +const mockedGetAgentsByKuery = getAgentsByKuery as jest.MockedFunction; +const mockedListEnrollmentApiKeys = listEnrollmentApiKeys as jest.MockedFunction< + typeof listEnrollmentApiKeys +>; + +const mockedAgentPolicyService = agentPolicyService as jest.Mocked; +const mockedPackagePolicyService = packagePolicyService as jest.Mocked; + +jest.mock('../app_context', () => ({ + appContextService: { + getLogger: () => + new Proxy( + {}, + { + get() { + return jest.fn(); + }, + } + ), + }, +})); + +describe('reset agent policies', () => { + it('should not unenroll agents or revoke enrollment api keys if there is no existing policies', async () => { + const soClient = savedObjectsClientMock.create(); + const esClient = elasticsearchServiceMock.createClusterClient().asInternalUser; + mockedAgentPolicyService.list.mockResolvedValueOnce({ + items: [], + } as any); + mockedPackagePolicyService.list.mockResolvedValueOnce({ + items: [], + } as any); + soClient.find.mockImplementation(async (option) => { + if (option.type === PRECONFIGURATION_DELETION_RECORD_SAVED_OBJECT_TYPE) { + return { saved_objects: [] } as any; + } + + throw new Error('not mocked'); + }); + await resetPreconfiguredAgentPolicies(soClient, esClient); + + expect(mockedSetupFleet).toBeCalled(); + expect(mockedForceUnenrollAgent).not.toBeCalled(); + expect(mockedDeleteEnrollmentApiKey).not.toBeCalled(); + }); + + it('should unenroll agents and revoke enrollment api keys if there is policies', async () => { + const soClient = savedObjectsClientMock.create(); + const esClient = elasticsearchServiceMock.createClusterClient().asInternalUser; + mockedAgentPolicyService.list.mockResolvedValueOnce({ + items: [{ id: 'policy1' }], + } as any); + mockedPackagePolicyService.list.mockResolvedValueOnce({ + items: [], + } as any); + mockedGetAgentsByKuery.mockResolvedValueOnce({ + agents: [{ id: 'agent1' }], + } as any); + mockedListEnrollmentApiKeys.mockResolvedValueOnce({ + items: [{ id: 'key1' }], + } as any); + soClient.find.mockImplementation(async (option) => { + if (option.type === PRECONFIGURATION_DELETION_RECORD_SAVED_OBJECT_TYPE) { + return { + saved_objects: [], + } as any; + } + + throw new Error('not mocked'); + }); + await resetPreconfiguredAgentPolicies(soClient, esClient); + + expect(mockedSetupFleet).toBeCalled(); + expect(mockedForceUnenrollAgent).toBeCalled(); + expect(mockedDeleteEnrollmentApiKey).toBeCalled(); + }); +}); diff --git a/x-pack/plugins/fleet/server/services/preconfiguration/reset_agent_policies.ts b/x-pack/plugins/fleet/server/services/preconfiguration/reset_agent_policies.ts index 30484f93c0157..e4a8fb11ce704 100644 --- a/x-pack/plugins/fleet/server/services/preconfiguration/reset_agent_policies.ts +++ b/x-pack/plugins/fleet/server/services/preconfiguration/reset_agent_policies.ts @@ -56,6 +56,10 @@ async function _deleteGhostPackagePolicies( }, new Set()) ); + if (!policyIds.length) { + return; + } + const objects = policyIds.map((id) => ({ id, type: AGENT_POLICY_SAVED_OBJECT_TYPE })); const agentPolicyExistsMap = (await soClient.bulkGet(objects)).saved_objects.reduce((acc, so) => { if (so.error && so.error.statusCode === 404) { @@ -144,6 +148,10 @@ async function _deleteExistingData( ).items; } + if (!existingPolicies.length) { + return; + } + // unenroll all the agents enroled in this policies const { agents } = await getAgentsByKuery(esClient, { showInactive: false, @@ -175,18 +183,16 @@ async function _deleteExistingData( } ); } - if (existingPolicies.length > 0) { - logger.info(`Deleting ${existingPolicies.length} agent policies`); - await pMap( - existingPolicies, - (policy) => - agentPolicyService.delete(soClient, esClient, policy.id, { - force: true, - removeFleetServerDocuments: true, - }), - { - concurrency: 20, - } - ); - } + logger.info(`Deleting ${existingPolicies.length} agent policies`); + await pMap( + existingPolicies, + (policy) => + agentPolicyService.delete(soClient, esClient, policy.id, { + force: true, + removeFleetServerDocuments: true, + }), + { + concurrency: 20, + } + ); } diff --git a/x-pack/plugins/fleet/server/types/rest_spec/agent.ts b/x-pack/plugins/fleet/server/types/rest_spec/agent.ts index 7c1078ba8dbd8..93c67a11e2d0e 100644 --- a/x-pack/plugins/fleet/server/types/rest_spec/agent.ts +++ b/x-pack/plugins/fleet/server/types/rest_spec/agent.ts @@ -7,6 +7,7 @@ import { schema } from '@kbn/config-schema'; import moment from 'moment'; +import semverIsValid from 'semver/functions/valid'; import { NewAgentActionSchema } from '../models'; @@ -61,13 +62,21 @@ export const PostBulkAgentUnenrollRequestSchema = { }), }; +function validateVersion(s: string) { + if (!semverIsValid(s)) { + return 'not a valid semver'; + } +} + export const PostAgentUpgradeRequestSchema = { params: schema.object({ agentId: schema.string(), }), body: schema.object({ source_uri: schema.maybe(schema.string()), - version: schema.string(), + version: schema.string({ + validate: validateVersion, + }), force: schema.maybe(schema.boolean()), }), }; @@ -76,7 +85,7 @@ export const PostBulkAgentUpgradeRequestSchema = { body: schema.object({ agents: schema.oneOf([schema.arrayOf(schema.string()), schema.string()]), source_uri: schema.maybe(schema.string()), - version: schema.string(), + version: schema.string({ validate: validateVersion }), force: schema.maybe(schema.boolean()), rollout_duration_seconds: schema.maybe(schema.number({ min: 600 })), start_time: schema.maybe( @@ -132,5 +141,6 @@ export const GetAgentStatusRequestSchema = { export const GetAgentDataRequestSchema = { query: schema.object({ agentsIds: schema.oneOf([schema.arrayOf(schema.string()), schema.string()]), + previewData: schema.boolean({ defaultValue: false }), }), }; diff --git a/x-pack/plugins/graph/public/helpers/use_workspace_loader.test.tsx b/x-pack/plugins/graph/public/helpers/use_workspace_loader.test.tsx index 0c05fce5a4558..bfb373712acd6 100644 --- a/x-pack/plugins/graph/public/helpers/use_workspace_loader.test.tsx +++ b/x-pack/plugins/graph/public/helpers/use_workspace_loader.test.tsx @@ -9,7 +9,7 @@ import { coreMock } from '@kbn/core/public/mocks'; import { spacesPluginMock } from '@kbn/spaces-plugin/public/mocks'; import { createMockGraphStore } from '../state_management/mocks'; import { Workspace } from '../types'; -import { SavedObjectsClientCommon } from '@kbn/data-plugin/common'; +import { SavedObjectsClientCommon } from '@kbn/data-views-plugin/public'; import { renderHook, act, RenderHookOptions } from '@testing-library/react-hooks'; jest.mock('react-router-dom', () => { diff --git a/x-pack/plugins/infra/common/dependency_mocks/index_patterns.ts b/x-pack/plugins/infra/common/dependency_mocks/index_patterns.ts index 80c0f324e793f..a8b78bf2efccf 100644 --- a/x-pack/plugins/infra/common/dependency_mocks/index_patterns.ts +++ b/x-pack/plugins/infra/common/dependency_mocks/index_patterns.ts @@ -84,6 +84,6 @@ export const createIndexPatternsStartMock = ( indexPatterns: IndexPatternMock[] ): any => { return { - indexPatternsServiceFactory: async () => createIndexPatternsMock(asyncDelay, indexPatterns), + dataViewsServiceFactory: async () => createIndexPatternsMock(asyncDelay, indexPatterns), }; }; diff --git a/x-pack/plugins/infra/public/components/logging/log_minimap/density_chart.tsx b/x-pack/plugins/infra/public/components/logging/log_minimap/density_chart.tsx index 0d2133e0bd6fc..f24cdfa15a23a 100644 --- a/x-pack/plugins/infra/public/components/logging/log_minimap/density_chart.tsx +++ b/x-pack/plugins/infra/public/components/logging/log_minimap/density_chart.tsx @@ -38,10 +38,10 @@ export const DensityChart: React.FC = ({ const xScale = scaleLinear().domain([0, xMax]).range([0, width]); const path = area() - .x0(xScale(0)) - .x1((bucket) => xScale(bucket.entriesCount)) - .y0((bucket) => yScale(bucket.start)) - .y1((bucket) => yScale(bucket.end)) + .x0(xScale(0) ?? 0) + .x1((bucket) => xScale(bucket.entriesCount) ?? 0) + .y0((bucket) => yScale(bucket.start) ?? 0) + .y1((bucket) => yScale(bucket.end) ?? 0) .curve(curveMonotoneY); const firstBucket = buckets[0]; diff --git a/x-pack/plugins/infra/public/components/logging/log_minimap/log_minimap.tsx b/x-pack/plugins/infra/public/components/logging/log_minimap/log_minimap.tsx index a43da182f656f..f295d84b6ce4c 100644 --- a/x-pack/plugins/infra/public/components/logging/log_minimap/log_minimap.tsx +++ b/x-pack/plugins/infra/public/components/logging/log_minimap/log_minimap.tsx @@ -78,7 +78,7 @@ export class LogMinimap extends React.Component { - return this.getYScale()(time); + return this.getYScale()(time) ?? 0; }; private updateTimeCursor: React.MouseEventHandler = (event) => { diff --git a/x-pack/plugins/infra/public/components/logging/log_minimap/search_markers.tsx b/x-pack/plugins/infra/public/components/logging/log_minimap/search_markers.tsx index 137f095b484c7..74a547c123a4a 100644 --- a/x-pack/plugins/infra/public/components/logging/log_minimap/search_markers.tsx +++ b/x-pack/plugins/infra/public/components/logging/log_minimap/search_markers.tsx @@ -43,7 +43,7 @@ export class SearchMarkers extends React.PureComponent { > diff --git a/x-pack/plugins/infra/public/components/logging/log_minimap/time_ruler.tsx b/x-pack/plugins/infra/public/components/logging/log_minimap/time_ruler.tsx index 11be87ce295a1..d7d6b5da262e0 100644 --- a/x-pack/plugins/infra/public/components/logging/log_minimap/time_ruler.tsx +++ b/x-pack/plugins/infra/public/components/logging/log_minimap/time_ruler.tsx @@ -28,7 +28,7 @@ export const TimeRuler: React.FC = ({ end, height, start, tickCo return ( {ticks.map((tick, tickIndex) => { - const y = yScale(tick); + const y = yScale(tick) ?? 0; return ( diff --git a/x-pack/plugins/infra/public/containers/with_kuery_autocompletion.tsx b/x-pack/plugins/infra/public/containers/with_kuery_autocompletion.tsx index 96410973f8c0e..e4f076bf3ca3a 100644 --- a/x-pack/plugins/infra/public/containers/with_kuery_autocompletion.tsx +++ b/x-pack/plugins/infra/public/containers/with_kuery_autocompletion.tsx @@ -12,6 +12,7 @@ import { KibanaReactContextValue, KibanaServices, } from '@kbn/kibana-react-plugin/public'; +import type { DataView } from '@kbn/data-views-plugin/public'; import { QuerySuggestion, UnifiedSearchPublicPluginStart } from '@kbn/unified-search-plugin/public'; import { RendererFunction } from '../utils/typed_react'; @@ -85,7 +86,7 @@ class WithKueryAutocompletionComponent extends React.Component< query: expression, selectionStart: cursorPosition, selectionEnd: cursorPosition, - indexPatterns: [indexPattern], + indexPatterns: [indexPattern as DataView], boolFilter: [], })) || []; diff --git a/x-pack/plugins/infra/server/lib/adapters/framework/kibana_framework_adapter.ts b/x-pack/plugins/infra/server/lib/adapters/framework/kibana_framework_adapter.ts index 7aa4b433c477c..0872283e6af9e 100644 --- a/x-pack/plugins/infra/server/lib/adapters/framework/kibana_framework_adapter.ts +++ b/x-pack/plugins/infra/server/lib/adapters/framework/kibana_framework_adapter.ts @@ -219,7 +219,7 @@ export class KibanaFramework { elasticsearchClient: ElasticsearchClient ) { const [, startPlugins] = await this.core.getStartServices(); - return startPlugins.data.indexPatterns.indexPatternsServiceFactory( + return startPlugins.data.indexPatterns.dataViewsServiceFactory( savedObjectsClient, elasticsearchClient ); diff --git a/x-pack/plugins/infra/server/lib/alerting/inventory_metric_threshold/lib/create_condition_script.ts b/x-pack/plugins/infra/server/lib/alerting/inventory_metric_threshold/lib/create_condition_script.ts index 782c65d8a0beb..82c4afb49ed3e 100644 --- a/x-pack/plugins/infra/server/lib/alerting/inventory_metric_threshold/lib/create_condition_script.ts +++ b/x-pack/plugins/infra/server/lib/alerting/inventory_metric_threshold/lib/create_condition_script.ts @@ -15,10 +15,27 @@ export const createConditionScript = ( ) => { const threshold = conditionThresholds.map((n) => convertMetricValue(metric, n)); if (comparator === Comparator.BETWEEN && threshold.length === 2) { - return `params.value > ${threshold[0]} && params.value < ${threshold[1]} ? 1 : 0`; + return { + source: `params.value > params.threshold0 && params.value < params.threshold1 ? 1 : 0`, + params: { + threshold0: threshold[0], + threshold1: threshold[1], + }, + }; } if (comparator === Comparator.OUTSIDE_RANGE && threshold.length === 2) { - return `params.value < ${threshold[0]} && params.value > ${threshold[1]} ? 1 : 0`; + return { + source: `params.value < params.threshold0 && params.value > params.threshold1 ? 1 : 0`, + params: { + threshold0: threshold[0], + threshold1: threshold[1], + }, + }; } - return `params.value ${comparator} ${threshold[0]} ? 1 : 0`; + return { + source: `params.value ${comparator} params.threshold ? 1 : 0`, + params: { + threshold: threshold[0], + }, + }; }; diff --git a/x-pack/plugins/infra/server/lib/alerting/metric_threshold/lib/create_condition_script.ts b/x-pack/plugins/infra/server/lib/alerting/metric_threshold/lib/create_condition_script.ts index 843a1a79eaf62..b4285863dbccb 100644 --- a/x-pack/plugins/infra/server/lib/alerting/metric_threshold/lib/create_condition_script.ts +++ b/x-pack/plugins/infra/server/lib/alerting/metric_threshold/lib/create_condition_script.ts @@ -8,10 +8,27 @@ import { Comparator } from '../../../../../common/alerting/metrics'; export const createConditionScript = (threshold: number[], comparator: Comparator) => { if (comparator === Comparator.BETWEEN && threshold.length === 2) { - return `params.value > ${threshold[0]} && params.value < ${threshold[1]} ? 1 : 0`; + return { + source: `params.value > params.threshold0 && params.value < params.threshold1 ? 1 : 0`, + params: { + threshold0: threshold[0], + threshold1: threshold[1], + }, + }; } if (comparator === Comparator.OUTSIDE_RANGE && threshold.length === 2) { - return `params.value < ${threshold[0]} && params.value > ${threshold[1]} ? 1 : 0`; + return { + source: `params.value < params.threshold0 && params.value > params.threshold1 ? 1 : 0`, + params: { + threshold0: threshold[0], + threshold1: threshold[1], + }, + }; } - return `params.value ${comparator} ${threshold[0]} ? 1 : 0`; + return { + source: `params.value ${comparator} params.threshold ? 1 : 0`, + params: { + threshold: threshold[0], + }, + }; }; diff --git a/x-pack/plugins/kubernetes_security/.eslintrc.json b/x-pack/plugins/kubernetes_security/.eslintrc.json new file mode 100644 index 0000000000000..2aab6c2d9093b --- /dev/null +++ b/x-pack/plugins/kubernetes_security/.eslintrc.json @@ -0,0 +1,5 @@ +{ + "rules": { + "@typescript-eslint/consistent-type-definitions": 0 + } +} diff --git a/x-pack/plugins/kubernetes_security/README.md b/x-pack/plugins/kubernetes_security/README.md new file mode 100644 index 0000000000000..5dfb3f426b139 --- /dev/null +++ b/x-pack/plugins/kubernetes_security/README.md @@ -0,0 +1,3 @@ +# Kubernetes Security + +(under construction) \ No newline at end of file diff --git a/x-pack/plugins/kubernetes_security/common/constants.ts b/x-pack/plugins/kubernetes_security/common/constants.ts new file mode 100644 index 0000000000000..c88d30d7712ed --- /dev/null +++ b/x-pack/plugins/kubernetes_security/common/constants.ts @@ -0,0 +1,16 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export const KUBERNETES_PATH = '/kubernetes' as const; + +export const AGGREGATE_ROUTE = '/internal/kubernetes_security/aggregate'; +export const COUNT_ROUTE = '/internal/kubernetes_security/count'; +export const AGGREGATE_PAGE_SIZE = 10; + +// so, bucket sort can only page through what we request at the top level agg, which means there is a ceiling to how many aggs we can page through. +// we should also test this approach at scale. +export const AGGREGATE_MAX_BUCKETS = 2000; diff --git a/x-pack/plugins/kubernetes_security/common/translations.ts b/x-pack/plugins/kubernetes_security/common/translations.ts new file mode 100644 index 0000000000000..da5bdeb4266fa --- /dev/null +++ b/x-pack/plugins/kubernetes_security/common/translations.ts @@ -0,0 +1,23 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { i18n } from '@kbn/i18n'; + +export const SEARCH_GROUP_CLUSTER = i18n.translate('xpack.kubernetesSecurity.searchGroup.cluster', { + defaultMessage: 'Cluster', +}); + +export const SEARCH_GROUP_GROUP_BY = i18n.translate( + 'xpack.kubernetesSecurity.searchGroup.groupBy', + { + defaultMessage: 'Group by', + } +); + +export const SEARCH_GROUP_SORT_BY = i18n.translate('xpack.kubernetesSecurity.searchGroup.sortBy', { + defaultMessage: 'Sort by', +}); diff --git a/x-pack/plugins/kubernetes_security/jest.config.js b/x-pack/plugins/kubernetes_security/jest.config.js new file mode 100644 index 0000000000000..d42855eeab9de --- /dev/null +++ b/x-pack/plugins/kubernetes_security/jest.config.js @@ -0,0 +1,18 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +module.exports = { + preset: '@kbn/test', + rootDir: '../../..', + roots: ['/x-pack/plugins/kubernetes_security'], + coverageDirectory: '/target/kibana-coverage/jest/x-pack/plugins/kubernetes_security', + coverageReporters: ['text', 'html'], + collectCoverageFrom: [ + '/x-pack/plugins/kubernetes_security/{common,public,server}/**/*.{ts,tsx}', + ], + setupFiles: ['jest-canvas-mock'], +}; diff --git a/x-pack/plugins/kubernetes_security/kibana.json b/x-pack/plugins/kubernetes_security/kibana.json new file mode 100644 index 0000000000000..c54efd9db8d4c --- /dev/null +++ b/x-pack/plugins/kubernetes_security/kibana.json @@ -0,0 +1,18 @@ +{ + "id": "kubernetesSecurity", + "version": "1.0.0", + "kibanaVersion": "kibana", + "owner": { + "name": "Security Team", + "githubTeam": "security-team" + }, + "requiredPlugins": [ + "data", + "timelines", + "ruleRegistry", + "sessionView" + ], + "requiredBundles": [], + "server": true, + "ui": true +} diff --git a/x-pack/plugins/kubernetes_security/package.json b/x-pack/plugins/kubernetes_security/package.json new file mode 100644 index 0000000000000..93c8f2611108b --- /dev/null +++ b/x-pack/plugins/kubernetes_security/package.json @@ -0,0 +1,11 @@ +{ + "author": "Elastic", + "name": "kubernetes_security", + "version": "1.0.0", + "private": true, + "license": "Elastic-License", + "scripts": { + "test:jest": "node ../../scripts/jest", + "test:coverage": "node ../../scripts/jest --coverage" + } +} diff --git a/x-pack/plugins/kubernetes_security/public/components/kubernetes_security_routes/index.test.tsx b/x-pack/plugins/kubernetes_security/public/components/kubernetes_security_routes/index.test.tsx new file mode 100644 index 0000000000000..fa379cf23d7e1 --- /dev/null +++ b/x-pack/plugins/kubernetes_security/public/components/kubernetes_security_routes/index.test.tsx @@ -0,0 +1,55 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; +// eslint-disable-next-line @kbn/eslint/module_migration +import { MemoryRouterProps } from 'react-router'; +import { render, screen } from '@testing-library/react'; +import { MemoryRouter } from 'react-router-dom'; +import { KubernetesSecurityRoutes } from '.'; + +jest.mock('../kubernetes_widget', () => ({ + KubernetesWidget: () =>
{'Mock kubernetes widget'}
, +})); + +const renderWithRouter = ( + initialEntries: MemoryRouterProps['initialEntries'] = ['/kubernetes'] +) => { + const useGlobalFullScreen = jest.fn(); + useGlobalFullScreen.mockImplementation(() => { + return { globalFullScreen: false }; + }); + const useSourcererDataView = jest.fn(); + useSourcererDataView.mockImplementation(() => { + return { + indexPattern: { + fields: [ + { + aggregatable: false, + esTypes: [], + name: '_id', + searchable: true, + type: 'string', + }, + ], + title: '.mock-index-pattern', + }, + }; + }); + return render( + + {'Mock filters'}} /> + + ); +}; + +describe('Kubernetes security routes', () => { + it('navigates to the kubernetes page', () => { + renderWithRouter(); + expect(screen.getAllByText('Mock kubernetes widget')).toHaveLength(3); + }); +}); diff --git a/x-pack/plugins/kubernetes_security/public/components/kubernetes_security_routes/index.tsx b/x-pack/plugins/kubernetes_security/public/components/kubernetes_security_routes/index.tsx new file mode 100644 index 0000000000000..1abf39a9c45fb --- /dev/null +++ b/x-pack/plugins/kubernetes_security/public/components/kubernetes_security_routes/index.tsx @@ -0,0 +1,103 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; +import { Route, Switch } from 'react-router-dom'; +import { + EuiBadge, + EuiFlexGroup, + EuiFlexItem, + EuiLoadingContent, + EuiSpacer, + EuiTextColor, +} from '@elastic/eui'; +import { CSSObject } from '@emotion/react'; +import { KUBERNETES_PATH } from '../../../common/constants'; +import { KubernetesWidget } from '../kubernetes_widget'; +import { KubernetesSecurityDeps } from '../../types'; + +const widgetBadge: CSSObject = { + position: 'absolute', + bottom: '16px', + left: '16px', + width: 'calc(100% - 32px)', + fontSize: '12px', + lineHeight: '18px', + padding: '4px 8px', + display: 'flex', +}; + +const treeViewContainer: CSSObject = { + position: 'relative', + border: '1px solid #D3DAE6', + borderRadius: '6px', + padding: '16px', + height: '500px', +}; + +const KubernetesSecurityRoutesComponent = ({ filter }: KubernetesSecurityDeps) => { + return ( + + + {filter} + + + + +
{'93 alerts '}
View alerts + + + + + + + + + + + 1000 + {' live'} + + 42 + {' disabled'} + + + + + +
+ + +
+ + + ); +}; + +export const KubernetesSecurityRoutes = React.memo(KubernetesSecurityRoutesComponent); +// eslint-disable-next-line import/no-default-export +export { KubernetesSecurityRoutes as default }; diff --git a/x-pack/plugins/kubernetes_security/public/components/kubernetes_widget/index.tsx b/x-pack/plugins/kubernetes_security/public/components/kubernetes_widget/index.tsx new file mode 100644 index 0000000000000..904a444bb4d68 --- /dev/null +++ b/x-pack/plugins/kubernetes_security/public/components/kubernetes_widget/index.tsx @@ -0,0 +1,56 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React, { ReactNode } from 'react'; +import { EuiIcon } from '@elastic/eui'; +import { CSSObject } from '@emotion/react'; + +const widget = (isAlert?: boolean): CSSObject => ({ + position: 'relative', + height: '180px', + padding: '16px', + border: `1px solid ${isAlert ? '#BD271E' : '#D3DAE6'}`, + borderRadius: '6px', + fontWeight: 700, + fontSize: '12px', + lineHeight: '16px', +}); + +const widgetData: CSSObject = { + display: 'flex', + alignItems: 'center', + marginTop: '16px', + fontSize: '27px', + lineHeight: '32px', +}; + +interface KubernetesWidgetDeps { + title: string; + icon: string; + iconColor: string; + data: number; + isAlert?: boolean; + children?: ReactNode; +} + +export const KubernetesWidget = ({ + title, + icon, + iconColor, + data, + isAlert, + children, +}: KubernetesWidgetDeps) => ( +
+
{title}
+
+ + {data} +
+ {children} +
+); diff --git a/x-pack/plugins/kubernetes_security/public/index.ts b/x-pack/plugins/kubernetes_security/public/index.ts new file mode 100644 index 0000000000000..9d01e94b4aff2 --- /dev/null +++ b/x-pack/plugins/kubernetes_security/public/index.ts @@ -0,0 +1,14 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { KubernetesSecurityPlugin } from './plugin'; + +export type { KubernetesSecurityStart } from './types'; + +export function plugin() { + return new KubernetesSecurityPlugin(); +} diff --git a/x-pack/plugins/kubernetes_security/public/methods/index.tsx b/x-pack/plugins/kubernetes_security/public/methods/index.tsx new file mode 100644 index 0000000000000..85316f74b04f6 --- /dev/null +++ b/x-pack/plugins/kubernetes_security/public/methods/index.tsx @@ -0,0 +1,26 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React, { lazy, Suspense } from 'react'; +import { EuiLoadingSpinner } from '@elastic/eui'; +import { QueryClient, QueryClientProvider } from 'react-query'; +import { KubernetesSecurityDeps } from '../types'; + +// Initializing react-query +const queryClient = new QueryClient(); + +const KubernetesSecurityLazy = lazy(() => import('../components/kubernetes_security_routes')); + +export const getKubernetesSecurityLazy = (props: KubernetesSecurityDeps) => { + return ( + + }> + + + + ); +}; diff --git a/x-pack/plugins/kubernetes_security/public/plugin.ts b/x-pack/plugins/kubernetes_security/public/plugin.ts new file mode 100644 index 0000000000000..d80c858abf784 --- /dev/null +++ b/x-pack/plugins/kubernetes_security/public/plugin.ts @@ -0,0 +1,25 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { CoreSetup, CoreStart, Plugin } from '@kbn/core/public'; +import { KubernetesSecurityDeps, KubernetesSecurityServices } from './types'; +import { getKubernetesSecurityLazy } from './methods'; + +export type { KubernetesSecurityStart } from './types'; + +export class KubernetesSecurityPlugin implements Plugin { + public setup(core: CoreSetup) {} + + public start(core: CoreStart) { + return { + getKubernetesPage: (kubernetesSecurityDeps: KubernetesSecurityDeps) => + getKubernetesSecurityLazy(kubernetesSecurityDeps), + }; + } + + public stop() {} +} diff --git a/x-pack/plugins/kubernetes_security/public/types.ts b/x-pack/plugins/kubernetes_security/public/types.ts new file mode 100644 index 0000000000000..65a25868a0655 --- /dev/null +++ b/x-pack/plugins/kubernetes_security/public/types.ts @@ -0,0 +1,18 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import React from 'react'; +import { CoreStart } from '@kbn/core/public'; + +export type KubernetesSecurityServices = CoreStart; + +export interface KubernetesSecurityDeps { + filter: React.ReactNode; +} + +export interface KubernetesSecurityStart { + getKubernetesPage: (kubernetesSecurityDeps: KubernetesSecurityDeps) => JSX.Element; +} diff --git a/x-pack/plugins/kubernetes_security/server/index.ts b/x-pack/plugins/kubernetes_security/server/index.ts new file mode 100644 index 0000000000000..7ff5edf027a09 --- /dev/null +++ b/x-pack/plugins/kubernetes_security/server/index.ts @@ -0,0 +1,13 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { PluginInitializerContext } from '@kbn/core/server'; +import { KubernetesSecurityPlugin } from './plugin'; + +export function plugin(initializerContext: PluginInitializerContext) { + return new KubernetesSecurityPlugin(initializerContext); +} diff --git a/x-pack/plugins/kubernetes_security/server/plugin.ts b/x-pack/plugins/kubernetes_security/server/plugin.ts new file mode 100644 index 0000000000000..5f2b61d3c2528 --- /dev/null +++ b/x-pack/plugins/kubernetes_security/server/plugin.ts @@ -0,0 +1,48 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { + CoreSetup, + CoreStart, + Plugin, + Logger, + PluginInitializerContext, + IRouter, +} from '@kbn/core/server'; +import { KubernetesSecuritySetupPlugins, KubernetesSecurityStartPlugins } from './types'; +import { registerRoutes } from './routes'; + +export class KubernetesSecurityPlugin implements Plugin { + private logger: Logger; + private router: IRouter | undefined; + + /** + * Initialize KubernetesSecurityPlugin class properties (logger, etc) that is accessible + * through the initializerContext. + */ + constructor(initializerContext: PluginInitializerContext) { + this.logger = initializerContext.logger.get(); + } + + public setup(core: CoreSetup, plugins: KubernetesSecuritySetupPlugins) { + this.logger.debug('kubernetes security: Setup'); + this.router = core.http.createRouter(); + } + + public start(core: CoreStart, plugins: KubernetesSecurityStartPlugins) { + this.logger.debug('kubernetes security: Start'); + + // Register server routes + if (this.router) { + registerRoutes(this.router, plugins.ruleRegistry); + } + } + + public stop() { + this.logger.debug('kubernetes security: Stop'); + } +} diff --git a/x-pack/plugins/kubernetes_security/server/routes/aggregate.ts b/x-pack/plugins/kubernetes_security/server/routes/aggregate.ts new file mode 100644 index 0000000000000..8f90a8ee8ba50 --- /dev/null +++ b/x-pack/plugins/kubernetes_security/server/routes/aggregate.ts @@ -0,0 +1,82 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { schema } from '@kbn/config-schema'; +import type { ElasticsearchClient } from '@kbn/core/server'; +import { IRouter } from '@kbn/core/server'; +import { PROCESS_EVENTS_INDEX } from '@kbn/session-view-plugin/common/constants'; +import { + AGGREGATE_ROUTE, + AGGREGATE_PAGE_SIZE, + AGGREGATE_MAX_BUCKETS, +} from '../../common/constants'; + +export const registerAggregateRoute = (router: IRouter) => { + router.get( + { + path: AGGREGATE_ROUTE, + validate: { + query: schema.object({ + query: schema.string(), + groupBy: schema.string(), + page: schema.number(), + index: schema.maybe(schema.string()), + }), + }, + }, + async (context, request, response) => { + const client = (await context.core).elasticsearch.client.asCurrentUser; + const { query, groupBy, page, index } = request.query; + + try { + const body = await doSearch(client, query, groupBy, page, index); + + return response.ok({ body }); + } catch (err) { + return response.badRequest(err.message); + } + } + ); +}; + +export const doSearch = async ( + client: ElasticsearchClient, + query: string, + groupBy: string, + page: number, // zero based + index?: string +) => { + const queryDSL = JSON.parse(query); + + const search = await client.search({ + index: [index || PROCESS_EVENTS_INDEX], + body: { + query: queryDSL, + size: 0, + aggs: { + custom_agg: { + terms: { + field: groupBy, + size: AGGREGATE_MAX_BUCKETS, + }, + aggs: { + bucket_sort: { + bucket_sort: { + sort: [{ _key: { order: 'asc' } }], // defaulting to alphabetic sort + size: AGGREGATE_PAGE_SIZE, + from: AGGREGATE_PAGE_SIZE * page, + }, + }, + }, + }, + }, + }, + }); + + const agg: any = search.aggregations?.custom_agg; + + return agg?.buckets || []; +}; diff --git a/x-pack/plugins/kubernetes_security/server/routes/count.ts b/x-pack/plugins/kubernetes_security/server/routes/count.ts new file mode 100644 index 0000000000000..ecf28df4f7c2b --- /dev/null +++ b/x-pack/plugins/kubernetes_security/server/routes/count.ts @@ -0,0 +1,66 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { schema } from '@kbn/config-schema'; +import type { ElasticsearchClient } from '@kbn/core/server'; +import { IRouter } from '@kbn/core/server'; +import { PROCESS_EVENTS_INDEX } from '@kbn/session-view-plugin/common/constants'; +import { COUNT_ROUTE } from '../../common/constants'; + +export const registerCountRoute = (router: IRouter) => { + router.get( + { + path: COUNT_ROUTE, + validate: { + query: schema.object({ + query: schema.string(), + field: schema.string(), + index: schema.maybe(schema.string()), + }), + }, + }, + async (context, request, response) => { + const client = (await context.core).elasticsearch.client.asCurrentUser; + const { query, field, index } = request.query; + + try { + const body = await doCount(client, query, field, index); + + return response.ok({ body }); + } catch (err) { + return response.badRequest(err.message); + } + } + ); +}; + +export const doCount = async ( + client: ElasticsearchClient, + query: string, + field: string, + index?: string +) => { + const queryDSL = JSON.parse(query); + + const search = await client.search({ + index: [index || PROCESS_EVENTS_INDEX], + body: { + query: queryDSL, + size: 0, + aggs: { + custom_count: { + cardinality: { + field, + }, + }, + }, + }, + }); + + const agg: any = search.aggregations?.custom_count; + + return agg?.value || 0; +}; diff --git a/x-pack/plugins/kubernetes_security/server/routes/index.ts b/x-pack/plugins/kubernetes_security/server/routes/index.ts new file mode 100644 index 0000000000000..6f7236ebb25d7 --- /dev/null +++ b/x-pack/plugins/kubernetes_security/server/routes/index.ts @@ -0,0 +1,15 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { IRouter } from '@kbn/core/server'; +import { RuleRegistryPluginStartContract } from '@kbn/rule-registry-plugin/server'; +import { registerAggregateRoute } from './aggregate'; +import { registerCountRoute } from './count'; + +export const registerRoutes = (router: IRouter, ruleRegistry: RuleRegistryPluginStartContract) => { + registerAggregateRoute(router); + registerCountRoute(router); +}; diff --git a/x-pack/plugins/kubernetes_security/server/types.ts b/x-pack/plugins/kubernetes_security/server/types.ts new file mode 100644 index 0000000000000..3c10f35bc3239 --- /dev/null +++ b/x-pack/plugins/kubernetes_security/server/types.ts @@ -0,0 +1,18 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { + RuleRegistryPluginSetupContract as RuleRegistryPluginSetup, + RuleRegistryPluginStartContract as RuleRegistryPluginStart, +} from '@kbn/rule-registry-plugin/server'; + +export interface KubernetesSecuritySetupPlugins { + ruleRegistry: RuleRegistryPluginSetup; +} + +export interface KubernetesSecurityStartPlugins { + ruleRegistry: RuleRegistryPluginStart; +} diff --git a/x-pack/plugins/kubernetes_security/tsconfig.json b/x-pack/plugins/kubernetes_security/tsconfig.json new file mode 100644 index 0000000000000..b941be57d72ae --- /dev/null +++ b/x-pack/plugins/kubernetes_security/tsconfig.json @@ -0,0 +1,44 @@ +{ + "extends": "../../../tsconfig.base.json", + "compilerOptions": { + "outDir": "./target/types", + "emitDeclarationOnly": true, + "declaration": true, + "declarationMap": true + }, + "include": [ + // add all the folders containg files to be compiled + "common/**/*", + "public/**/*", + "server/**/*", + "server/**/*.json", + "scripts/**/*", + "package.json", + "storybook/**/*", + "../../../typings/**/*" + ], + "references": [ + { "path": "../../../src/core/tsconfig.json" }, + // add references to other TypeScript projects the plugin depends on + + // requiredPlugins from ./kibana.json + { "path": "../licensing/tsconfig.json" }, + { "path": "../../../src/plugins/data/tsconfig.json" }, + { "path": "../encrypted_saved_objects/tsconfig.json" }, + + // optionalPlugins from ./kibana.json + { "path": "../security/tsconfig.json" }, + { "path": "../features/tsconfig.json" }, + { "path": "../cloud/tsconfig.json" }, + { "path": "../../../src/plugins/usage_collection/tsconfig.json" }, + { "path": "../../../src/plugins/home/tsconfig.json" }, + + // requiredBundles from ./kibana.json + { "path": "../../../src/plugins/kibana_react/tsconfig.json" }, + { "path": "../../../src/plugins/es_ui_shared/tsconfig.json" }, + { "path": "../infra/tsconfig.json" }, + { "path": "../../../src/plugins/kibana_utils/tsconfig.json" }, + { "path": "../rule_registry/tsconfig.json" }, + { "path": "../session_view/tsconfig.json" } + ] +} diff --git a/x-pack/plugins/lens/public/app_plugin/app.test.tsx b/x-pack/plugins/lens/public/app_plugin/app.test.tsx index 6e8cc4315ad8b..fed226af7dde5 100644 --- a/x-pack/plugins/lens/public/app_plugin/app.test.tsx +++ b/x-pack/plugins/lens/public/app_plugin/app.test.tsx @@ -118,6 +118,7 @@ describe('Lens App', () => { ); const frame = props.editorFrame as ReturnType; + lensStore.dispatch(setState({ ...preloadedState })); return { instance, frame, props, services, lensStore }; } @@ -997,7 +998,7 @@ describe('Lens App', () => { min: moment('2021-01-09T04:00:00.000Z'), max: moment('2021-01-09T08:00:00.000Z'), }); - act(() => + await act(async () => instance.find(services.navigation.ui.TopNavMenu).prop('onQuerySubmit')!({ dateRange: { from: 'now-14d', to: 'now-7d' }, query: { query: 'new', language: 'lucene' }, diff --git a/x-pack/plugins/lens/public/app_plugin/lens_top_nav.tsx b/x-pack/plugins/lens/public/app_plugin/lens_top_nav.tsx index 4ae1b8860c878..c17417e5106a1 100644 --- a/x-pack/plugins/lens/public/app_plugin/lens_top_nav.tsx +++ b/x-pack/plugins/lens/public/app_plugin/lens_top_nav.tsx @@ -367,14 +367,16 @@ export const LensTopNavMenu = ({ datasourceMap[activeDatasourceId], datasourceStates[activeDatasourceId].state, activeData, + data.query.timefilter.timefilter.getTime(), application.capabilities ); }, [ - activeData, activeDatasourceId, + discover, datasourceMap, datasourceStates, - discover, + activeData, + data.query.timefilter.timefilter, application.capabilities, ]); diff --git a/x-pack/plugins/lens/public/app_plugin/mounter.tsx b/x-pack/plugins/lens/public/app_plugin/mounter.tsx index 567e02c46c684..32c367a1baaa6 100644 --- a/x-pack/plugins/lens/public/app_plugin/mounter.tsx +++ b/x-pack/plugins/lens/public/app_plugin/mounter.tsx @@ -5,7 +5,7 @@ * 2.0. */ -import React, { FC, useCallback, useEffect, useState } from 'react'; +import React, { FC, useCallback, useEffect, useState, useMemo } from 'react'; import { PreloadedState } from '@reduxjs/toolkit'; import { AppMountParameters, CoreSetup, CoreStart } from '@kbn/core/public'; import { FormattedMessage, I18nProvider } from '@kbn/i18n-react'; @@ -226,6 +226,20 @@ export async function mountApp( }, [props.history] ); + const initialInput = useMemo( + () => getInitialInput(props.id, props.editByValue), + [props.editByValue, props.id] + ); + const initCallback = useCallback(() => { + // Clear app-specific filters when navigating to Lens. Necessary because Lens + // can be loaded without a full page refresh. If the user navigates to Lens from Discover + // we keep the filters + if (!initialContext) { + data.query.filterManager.setAppFilters([]); + } + lensStore.dispatch(setState(getPreloadedState(storeDeps) as LensAppState)); + lensStore.dispatch(loadInitial({ redirectCallback, initialInput, history: props.history })); + }, [initialInput, props.history, redirectCallback]); useEffect(() => { (async () => { const hasUserDataView = await data.dataViews.hasData.hasUserDataView().catch(() => false); @@ -235,27 +249,10 @@ export async function mountApp( return; } setEditorState('data'); + initCallback(); })(); - }, [props.history]); + }, [initCallback, initialInput, props.history, redirectCallback]); trackUiEvent('loaded'); - const initialInput = getInitialInput(props.id, props.editByValue); - - // Clear app-specific filters when navigating to Lens. Necessary because Lens - // can be loaded without a full page refresh. If the user navigates to Lens from Discover - // we keep the filters - if (!initialContext) { - data.query.filterManager.setAppFilters([]); - } - - useEffect(() => { - if (editorState === 'data') { - lensStore.dispatch(setState(getPreloadedState(storeDeps) as LensAppState)); - lensStore.dispatch( - loadInitial({ redirectCallback, initialInput, history: props.history }) - ); - } - // eslint-disable-next-line react-hooks/exhaustive-deps - }, [props.id, props.editByValue, editorState]); if (editorState === 'loading') { return ; @@ -272,6 +269,7 @@ export async function mountApp( { setEditorState('data'); + initCallback(); }} /> ; diff --git a/x-pack/plugins/lens/public/app_plugin/show_underlying_data.test.ts b/x-pack/plugins/lens/public/app_plugin/show_underlying_data.test.ts index 367349f17a5b2..4ed822e7dc2f6 100644 --- a/x-pack/plugins/lens/public/app_plugin/show_underlying_data.test.ts +++ b/x-pack/plugins/lens/public/app_plugin/show_underlying_data.test.ts @@ -17,7 +17,13 @@ describe('getLayerMetaInfo', () => { }; it('should return error in case of no data', () => { expect( - getLayerMetaInfo(createMockDatasource('testDatasource'), {}, undefined, capabilities).error + getLayerMetaInfo( + createMockDatasource('testDatasource'), + {}, + undefined, + undefined, + capabilities + ).error ).toBe('Visualization has no data available to show'); }); @@ -30,20 +36,27 @@ describe('getLayerMetaInfo', () => { datatable1: { type: 'datatable', columns: [], rows: [] }, datatable2: { type: 'datatable', columns: [], rows: [] }, }, + undefined, capabilities ).error ).toBe('Cannot show underlying data for visualizations with multiple layers'); }); it('should return error in case of missing activeDatasource', () => { - expect(getLayerMetaInfo(undefined, {}, undefined, capabilities).error).toBe( + expect(getLayerMetaInfo(undefined, {}, undefined, undefined, capabilities).error).toBe( 'Visualization has no data available to show' ); }); it('should return error in case of missing configuration/state', () => { expect( - getLayerMetaInfo(createMockDatasource('testDatasource'), undefined, {}, capabilities).error + getLayerMetaInfo( + createMockDatasource('testDatasource'), + undefined, + {}, + undefined, + capabilities + ).error ).toBe('Visualization has no data available to show'); }); @@ -67,10 +80,35 @@ describe('getLayerMetaInfo', () => { }; mockDatasource.getPublicAPI.mockReturnValue(updatedPublicAPI); expect( - getLayerMetaInfo(createMockDatasource('testDatasource'), {}, {}, capabilities).error + getLayerMetaInfo(createMockDatasource('testDatasource'), {}, {}, undefined, capabilities) + .error ).toBe('Visualization has no data available to show'); }); + it('should return error in case of getFilters returning errors', () => { + const mockDatasource = createMockDatasource('testDatasource'); + const updatedPublicAPI: DatasourcePublicAPI = { + datasourceId: 'indexpattern', + getOperationForColumnId: jest.fn(), + getTableSpec: jest.fn(() => [{ columnId: 'col1', fields: ['bytes'] }]), + getVisualDefaults: jest.fn(), + getSourceId: jest.fn(), + getFilters: jest.fn(() => ({ error: 'filters error' })), + }; + mockDatasource.getPublicAPI.mockReturnValue(updatedPublicAPI); + expect( + getLayerMetaInfo( + mockDatasource, + {}, // the publicAPI has been mocked, so no need for a state here + { + datatable1: { type: 'datatable', columns: [], rows: [] }, + }, + undefined, + capabilities + ).error + ).toBe('filters error'); + }); + it('should not be visible if discover is not available', () => { // both capabilities should be enabled to enable discover expect( @@ -80,6 +118,7 @@ describe('getLayerMetaInfo', () => { { datatable1: { type: 'datatable', columns: [], rows: [] }, }, + undefined, { navLinks: { discover: false }, discover: { show: true }, @@ -93,6 +132,7 @@ describe('getLayerMetaInfo', () => { { datatable1: { type: 'datatable', columns: [], rows: [] }, }, + undefined, { navLinks: { discover: true }, discover: { show: false }, @@ -124,6 +164,7 @@ describe('getLayerMetaInfo', () => { { datatable1: { type: 'datatable', columns: [], rows: [] }, }, + undefined, capabilities ); expect(error).toBeUndefined(); diff --git a/x-pack/plugins/lens/public/app_plugin/show_underlying_data.ts b/x-pack/plugins/lens/public/app_plugin/show_underlying_data.ts index e673108585524..a3900d229363f 100644 --- a/x-pack/plugins/lens/public/app_plugin/show_underlying_data.ts +++ b/x-pack/plugins/lens/public/app_plugin/show_underlying_data.ts @@ -12,6 +12,7 @@ import { buildCustomFilter, buildEsQuery, FilterStateStore, + TimeRange, } from '@kbn/es-query'; import { i18n } from '@kbn/i18n'; import { RecursiveReadonly } from '@kbn/utility-types'; @@ -59,6 +60,7 @@ export function getLayerMetaInfo( currentDatasource: Datasource | undefined, datasourceState: unknown, activeData: TableInspectorAdapter | undefined, + timeRange: TimeRange | undefined, capabilities: RecursiveReadonly<{ navLinks: Capabilities['navLinks']; discover?: Capabilities['discover']; @@ -116,12 +118,22 @@ export function getLayerMetaInfo( }; } + const filtersOrError = datasourceAPI.getFilters(activeData, timeRange); + + if ('error' in filtersOrError) { + return { + meta: undefined, + error: filtersOrError.error, + isVisible, + }; + } + const uniqueFields = [...new Set(columnsWithNoTimeShifts.map(({ fields }) => fields).flat())]; return { meta: { id: datasourceAPI.getSourceId()!, columns: uniqueFields, - filters: datasourceAPI.getFilters(activeData), + filters: filtersOrError, }, error: undefined, isVisible, diff --git a/x-pack/plugins/lens/public/embeddable/embeddable.tsx b/x-pack/plugins/lens/public/embeddable/embeddable.tsx index bc7770e815ba6..fff323ae4293b 100644 --- a/x-pack/plugins/lens/public/embeddable/embeddable.tsx +++ b/x-pack/plugins/lens/public/embeddable/embeddable.tsx @@ -178,6 +178,7 @@ function getViewUnderlyingDataArgs({ activeDatasource, activeDatasourceState, activeData, + timeRange, capabilities ); diff --git a/x-pack/plugins/lens/public/indexpattern_datasource/indexpattern.tsx b/x-pack/plugins/lens/public/indexpattern_datasource/indexpattern.tsx index 8ed569ddfd328..6ff17eadd6388 100644 --- a/x-pack/plugins/lens/public/indexpattern_datasource/indexpattern.tsx +++ b/x-pack/plugins/lens/public/indexpattern_datasource/indexpattern.tsx @@ -10,6 +10,7 @@ import { render } from 'react-dom'; import { I18nProvider } from '@kbn/i18n-react'; import type { CoreStart, SavedObjectReference } from '@kbn/core/public'; import { i18n } from '@kbn/i18n'; +import { TimeRange } from '@kbn/es-query'; import type { IStorageWrapper } from '@kbn/kibana-utils-plugin/public'; import type { FieldFormatsStart } from '@kbn/field-formats-plugin/public'; import { isEqual } from 'lodash'; @@ -532,8 +533,14 @@ export function getIndexPatternDatasource({ return null; }, getSourceId: () => layer.indexPatternId, - getFilters: (activeData: FramePublicAPI['activeData']) => - getFiltersInLayer(layer, visibleColumnIds, activeData?.[layerId]), + getFilters: (activeData: FramePublicAPI['activeData'], timeRange?: TimeRange) => + getFiltersInLayer( + layer, + visibleColumnIds, + activeData?.[layerId], + state.indexPatterns[layer.indexPatternId], + timeRange + ), getVisualDefaults: () => getVisualDefaultsForLayer(layer), }; }, diff --git a/x-pack/plugins/lens/public/indexpattern_datasource/operations/definitions/formula/editor/math_completion.ts b/x-pack/plugins/lens/public/indexpattern_datasource/operations/definitions/formula/editor/math_completion.ts index a1b629be9c134..d793ace3b5196 100644 --- a/x-pack/plugins/lens/public/indexpattern_datasource/operations/definitions/formula/editor/math_completion.ts +++ b/x-pack/plugins/lens/public/indexpattern_datasource/operations/definitions/formula/editor/math_completion.ts @@ -21,6 +21,7 @@ import type { QuerySuggestion, } from '@kbn/unified-search-plugin/public'; import { parseTimeShift } from '@kbn/data-plugin/common'; +import type { DataView } from '@kbn/data-views-plugin/public'; import { IndexPattern } from '../../../../types'; import { memoizedGetAvailableOperationsByMetadata } from '../../../operations'; import { tinymathFunctions, groupArgsByType, unquotedStringRegex } from '../util'; @@ -371,7 +372,7 @@ export async function getNamedArgumentSuggestions({ query, selectionStart: position, selectionEnd: position, - indexPatterns: [indexPattern], + indexPatterns: [indexPattern as unknown as DataView], boolFilter: [], }); return { diff --git a/x-pack/plugins/lens/public/indexpattern_datasource/utils.tsx b/x-pack/plugins/lens/public/indexpattern_datasource/utils.tsx index b22369dfb2dd2..768783d5ce38c 100644 --- a/x-pack/plugins/lens/public/indexpattern_datasource/utils.tsx +++ b/x-pack/plugins/lens/public/indexpattern_datasource/utils.tsx @@ -9,6 +9,7 @@ import React from 'react'; import { i18n } from '@kbn/i18n'; import { FormattedMessage } from '@kbn/i18n-react'; import type { DocLinksStart } from '@kbn/core/public'; +import { TimeRange } from '@kbn/es-query'; import { EuiLink, EuiTextColor, EuiButton, EuiSpacer } from '@elastic/eui'; import { DatatableColumn } from '@kbn/expressions-plugin'; @@ -27,6 +28,7 @@ import { updateDefaultLabels, RangeIndexPatternColumn, FormulaIndexPatternColumn, + DateHistogramIndexPatternColumn, } from './operations'; import { getInvalidFieldMessage, isColumnOfType } from './operations/definitions/helpers'; @@ -341,6 +343,21 @@ function extractQueriesFromRanges(column: RangeIndexPatternColumn) { .filter(({ query }) => query?.trim()); } +/** + * If the data view doesn't have a default time field, Discover can't use the global time range - construct an equivalent filter instead + */ +function extractTimeRangeFromDateHistogram( + column: DateHistogramIndexPatternColumn, + timeRange: TimeRange +) { + return [ + { + language: 'kuery', + query: `${column.sourceField} >= "${timeRange.from}" AND ${column.sourceField} <= "${timeRange.to}"`, + }, + ]; +} + /** * Given an Terms/Top values column transform each entry into a "field: term" KQL query * This works also for multi-terms variant @@ -442,14 +459,16 @@ function collectOnlyValidQueries( export function getFiltersInLayer( layer: IndexPatternLayer, columnIds: string[], - layerData: NonNullable[string] | undefined + layerData: NonNullable[string] | undefined, + indexPattern: IndexPattern, + timeRange: TimeRange | undefined ) { const filtersGroupedByState = collectFiltersFromMetrics(layer, columnIds); const [enabledFiltersFromMetricsByLanguage, disabledFitleredFromMetricsByLanguage] = ( ['enabled', 'disabled'] as const ).map((state) => groupBy(filtersGroupedByState[state], 'language') as unknown as GroupedQueries); - const filterOperation = columnIds + const filterOperationsOrErrors = columnIds .map((colId) => { const column = layer.columns[colId]; @@ -471,6 +490,28 @@ export function getFiltersInLayer( }; } + if ( + isColumnOfType('date_histogram', column) && + timeRange && + column.sourceField && + !column.params.ignoreTimeRange && + indexPattern.timeFieldName !== column.sourceField + ) { + if (indexPattern.timeFieldName) { + // non-default time field is not supported in Discover if data view has a time field + return { + error: i18n.translate('xpack.lens.indexPattern.nonDefaultTimeFieldError', { + defaultMessage: + 'Underlying data does not support date histograms on non-default time fields if time field is set on the data view', + }), + }; + } + // if the data view has no default time field but the date histograms' time field is bound to the time range, create a KQL query for the time range + return { + kuery: extractTimeRangeFromDateHistogram(column, timeRange), + }; + } + if ( isColumnOfType('terms', column) && !(column.params.otherBucket || column.params.missingBucket) @@ -490,13 +531,30 @@ export function getFiltersInLayer( }; } }) - .filter(Boolean) as GroupedQueries[]; + .filter(Boolean); + + const errors = filterOperationsOrErrors.filter((filter) => filter && 'error' in filter) as Array<{ + error: string; + }>; + + if (errors.length) { + return { + error: errors.map(({ error }) => error).join(', '), + }; + } + + const filterOperations = filterOperationsOrErrors as GroupedQueries[]; + return { enabled: { - kuery: collectOnlyValidQueries(enabledFiltersFromMetricsByLanguage, filterOperation, 'kuery'), + kuery: collectOnlyValidQueries( + enabledFiltersFromMetricsByLanguage, + filterOperations, + 'kuery' + ), lucene: collectOnlyValidQueries( enabledFiltersFromMetricsByLanguage, - filterOperation, + filterOperations, 'lucene' ), }, diff --git a/x-pack/plugins/lens/public/state_management/context_middleware/index.ts b/x-pack/plugins/lens/public/state_management/context_middleware/index.ts index 65507a6767166..90cd4ba27723e 100644 --- a/x-pack/plugins/lens/public/state_management/context_middleware/index.ts +++ b/x-pack/plugins/lens/public/state_management/context_middleware/index.ts @@ -32,11 +32,7 @@ function isTimeBased(state: LensState, datasourceMap: DatasourceMap) { } export const contextMiddleware = (storeDeps: LensStoreDeps) => (store: MiddlewareAPI) => { - const unsubscribeFromExternalContext = subscribeToExternalContext( - storeDeps.lensServices.data, - store.getState, - store.dispatch - ); + let unsubscribeFromExternalContext: (() => void) | undefined; return (next: Dispatch) => (action: PayloadAction) => { if ( !(action.payload as Partial)?.searchSessionId && @@ -46,10 +42,18 @@ export const contextMiddleware = (storeDeps: LensStoreDeps) => (store: Middlewar ) { updateTimeRange(storeDeps.lensServices.data, store.dispatch); } - if (navigateAway.match(action)) { + if (navigateAway.match(action) && unsubscribeFromExternalContext) { return unsubscribeFromExternalContext(); } next(action); + // store stopped loading and external context is not subscribed to yet - do it now + if (!store.getState().lens.isLoading && !unsubscribeFromExternalContext) { + unsubscribeFromExternalContext = subscribeToExternalContext( + storeDeps.lensServices.data, + store.getState, + store.dispatch + ); + } }; }; diff --git a/x-pack/plugins/lens/public/trigger_actions/open_in_discover_drilldown.test.tsx b/x-pack/plugins/lens/public/trigger_actions/open_in_discover_drilldown.test.tsx index bd1fc948eb937..009b62a505651 100644 --- a/x-pack/plugins/lens/public/trigger_actions/open_in_discover_drilldown.test.tsx +++ b/x-pack/plugins/lens/public/trigger_actions/open_in_discover_drilldown.test.tsx @@ -52,9 +52,9 @@ describe('open in discover drilldown', () => { ); expect(isCompatible).toHaveBeenCalledWith(expect.objectContaining({ filters })); }); - it('calls through to execute helper', () => { + it('calls through to execute helper', async () => { const filters: Filter[] = [{ meta: { disabled: false } }]; - drilldown.execute( + await drilldown.execute( { openInNewTab: true }, { embeddable: { type: 'lens' } as IEmbeddable, filters } ); diff --git a/x-pack/plugins/lens/public/trigger_actions/open_in_discover_drilldown.tsx b/x-pack/plugins/lens/public/trigger_actions/open_in_discover_drilldown.tsx index d957b9cafd4be..4c089a8212025 100644 --- a/x-pack/plugins/lens/public/trigger_actions/open_in_discover_drilldown.tsx +++ b/x-pack/plugins/lens/public/trigger_actions/open_in_discover_drilldown.tsx @@ -7,13 +7,7 @@ import React from 'react'; import { IEmbeddable, EmbeddableInput } from '@kbn/embeddable-plugin/public'; -import { - Query, - Filter, - TimeRange, - extractTimeRange, - APPLY_FILTER_TRIGGER, -} from '@kbn/data-plugin/public'; +import { Query, Filter, TimeRange, APPLY_FILTER_TRIGGER } from '@kbn/data-plugin/public'; import { CollectConfigProps as CollectConfigPropsBase } from '@kbn/kibana-utils-plugin/public'; import { reactToUiComponent } from '@kbn/kibana-react-plugin/public'; import { @@ -122,6 +116,7 @@ export class OpenInDiscoverDrilldown }; public readonly execute = async (config: Config, context: ActionContext) => { + const { extractTimeRange } = await import('@kbn/es-query'); const { restOfFilters: filters, timeRange: timeRange } = extractTimeRange( context.filters, context.timeFieldName diff --git a/x-pack/plugins/lens/public/types.ts b/x-pack/plugins/lens/public/types.ts index 1ffc300542b09..4c2f0785e7a3e 100644 --- a/x-pack/plugins/lens/public/types.ts +++ b/x-pack/plugins/lens/public/types.ts @@ -14,7 +14,7 @@ import type { import type { PaletteOutput } from '@kbn/coloring'; import type { TopNavMenuData } from '@kbn/navigation-plugin/public'; import type { MutableRefObject } from 'react'; -import { Filter } from '@kbn/es-query'; +import { Filter, TimeRange } from '@kbn/es-query'; import type { ExpressionAstExpression, ExpressionRendererEvent, @@ -369,15 +369,20 @@ export interface DatasourcePublicAPI { */ getSourceId: () => string | undefined; /** - * Collect all defined filters from all the operations in the layer + * Collect all defined filters from all the operations in the layer. If it returns undefined, this means that filters can't be constructed for the current layer */ - getFilters: (activeData?: FramePublicAPI['activeData']) => Record< - 'enabled' | 'disabled', - { - kuery: Query[][]; - lucene: Query[][]; - } - >; + getFilters: ( + activeData?: FramePublicAPI['activeData'], + timeRange?: TimeRange + ) => + | { error: string } + | Record< + 'enabled' | 'disabled', + { + kuery: Query[][]; + lucene: Query[][]; + } + >; } export interface DatasourceDataPanelProps { diff --git a/x-pack/plugins/maps/public/classes/fields/agg/percentile_agg_field.test.ts b/x-pack/plugins/maps/public/classes/fields/agg/percentile_agg_field.test.ts index 9761f1dcdb193..4566cf4a73f1c 100644 --- a/x-pack/plugins/maps/public/classes/fields/agg/percentile_agg_field.test.ts +++ b/x-pack/plugins/maps/public/classes/fields/agg/percentile_agg_field.test.ts @@ -7,7 +7,7 @@ import { AGG_TYPE, FIELD_ORIGIN } from '../../../../common/constants'; import { IESAggSource } from '../../sources/es_agg_source'; -import { IndexPattern } from '@kbn/data-plugin/public'; +import type { DataView } from '@kbn/data-views-plugin/public'; import { PercentileAggField } from './percentile_agg_field'; import { ESDocField } from '../es_doc_field'; @@ -68,7 +68,7 @@ describe('percentile agg field', () => { percentile: 80, }); - expect(field.getValueAggDsl(mockIndexPattern as IndexPattern)).toEqual({ + expect(field.getValueAggDsl(mockIndexPattern as DataView)).toEqual({ percentiles: { field: 'foobar', percents: [80] }, }); }); diff --git a/x-pack/plugins/maps/public/classes/fields/es_doc_field.ts b/x-pack/plugins/maps/public/classes/fields/es_doc_field.ts index 4b0f990567fdf..2d9d0dfff8cd8 100644 --- a/x-pack/plugins/maps/public/classes/fields/es_doc_field.ts +++ b/x-pack/plugins/maps/public/classes/fields/es_doc_field.ts @@ -5,7 +5,7 @@ * 2.0. */ -import type { IndexPatternField } from '@kbn/data-plugin/public'; +import type { DataViewField } from '@kbn/data-views-plugin/public'; import { indexPatterns } from '@kbn/data-plugin/public'; import type { AggregationsExtendedStatsAggregation, @@ -52,7 +52,7 @@ export class ESDocField extends AbstractField implements IField { return this._source; } - async _getIndexPatternField(): Promise { + async _getIndexPatternField(): Promise { const indexPattern = await this._source.getIndexPattern(); const indexPatternField = indexPattern.fields.getByName(this.getName()); return indexPatternField && indexPatterns.isNestedField(indexPatternField) diff --git a/x-pack/plugins/maps/public/classes/sources/es_geo_grid_source/update_source_editor.tsx b/x-pack/plugins/maps/public/classes/sources/es_geo_grid_source/update_source_editor.tsx index 1769c224c37b3..8b42bc2f162c5 100644 --- a/x-pack/plugins/maps/public/classes/sources/es_geo_grid_source/update_source_editor.tsx +++ b/x-pack/plugins/maps/public/classes/sources/es_geo_grid_source/update_source_editor.tsx @@ -10,7 +10,8 @@ import React, { Fragment, Component } from 'react'; import uuid from 'uuid/v4'; import { FormattedMessage } from '@kbn/i18n-react'; import { EuiPanel, EuiSpacer, EuiComboBoxOptionOption, EuiTitle } from '@elastic/eui'; -import { IndexPatternField, indexPatterns } from '@kbn/data-plugin/public'; +import { DataViewField } from '@kbn/data-views-plugin/public'; +import { indexPatterns } from '@kbn/data-plugin/public'; import { getDataViewNotFoundMessage } from '../../../../common/i18n_getters'; import { AGG_TYPE, @@ -42,7 +43,7 @@ interface Props { interface State { geoFieldType?: ES_GEO_FIELD_TYPE; metricsEditorKey: string; - fields: IndexPatternField[]; + fields: DataViewField[]; loadError?: string; } diff --git a/x-pack/plugins/maps/public/classes/sources/es_search_source/top_hits/top_hits_form.tsx b/x-pack/plugins/maps/public/classes/sources/es_search_source/top_hits/top_hits_form.tsx index 8b39310ae13a8..2cbc47e4e9c76 100644 --- a/x-pack/plugins/maps/public/classes/sources/es_search_source/top_hits/top_hits_form.tsx +++ b/x-pack/plugins/maps/public/classes/sources/es_search_source/top_hits/top_hits_form.tsx @@ -8,7 +8,7 @@ import React, { ChangeEvent, Component, Fragment } from 'react'; import { EuiFormRow, EuiSelect } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; -import type { IndexPatternField } from '@kbn/data-plugin/public'; +import { DataViewField } from '@kbn/data-views-plugin/public'; import { SortDirection } from '@kbn/data-plugin/public'; import { SingleFieldSelect } from '../../../../components/single_field_select'; import { getIndexPatternService } from '../../../../kibana_services'; @@ -23,9 +23,9 @@ interface Props { isColumnCompressed?: boolean; onChange: (args: OnSourceChangeArgs) => void; sortField: string; - sortFields: IndexPatternField[]; + sortFields: DataViewField[]; sortOrder: SortDirection; - termFields: IndexPatternField[]; + termFields: DataViewField[]; topHitsSplitField: string | null; topHitsSize: number; } diff --git a/x-pack/plugins/maps/public/classes/sources/es_search_source/top_hits/update_source_editor.tsx b/x-pack/plugins/maps/public/classes/sources/es_search_source/top_hits/update_source_editor.tsx index 356dbfe7d03a1..2e26cbea33b52 100644 --- a/x-pack/plugins/maps/public/classes/sources/es_search_source/top_hits/update_source_editor.tsx +++ b/x-pack/plugins/maps/public/classes/sources/es_search_source/top_hits/update_source_editor.tsx @@ -9,7 +9,7 @@ import React, { Component, Fragment } from 'react'; import { EuiFormRow, EuiTitle, EuiPanel, EuiSpacer, EuiSwitch, EuiSwitchEvent } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; import { FormattedMessage } from '@kbn/i18n-react'; -import type { IndexPatternField } from '@kbn/data-plugin/public'; +import { DataViewField } from '@kbn/data-views-plugin/public'; import { SortDirection } from '@kbn/data-plugin/public'; import { getDataViewNotFoundMessage } from '../../../../../common/i18n_getters'; import { FIELD_ORIGIN } from '../../../../../common/constants'; @@ -38,8 +38,8 @@ interface Props { interface State { loadError?: string; sourceFields: IField[]; - termFields: IndexPatternField[]; - sortFields: IndexPatternField[]; + termFields: DataViewField[]; + sortFields: DataViewField[]; } export class TopHitsUpdateSourceEditor extends Component { diff --git a/x-pack/plugins/maps/public/classes/sources/es_search_source/util/get_docvalue_source_fields.test.ts b/x-pack/plugins/maps/public/classes/sources/es_search_source/util/get_docvalue_source_fields.test.ts index 90e674c5da288..2c6a48d47d097 100644 --- a/x-pack/plugins/maps/public/classes/sources/es_search_source/util/get_docvalue_source_fields.test.ts +++ b/x-pack/plugins/maps/public/classes/sources/es_search_source/util/get_docvalue_source_fields.test.ts @@ -6,9 +6,9 @@ */ import { getDocValueAndSourceFields } from './get_docvalue_source_fields'; -import type { IndexPatternField, IndexPattern } from '@kbn/data-plugin/public'; +import type { DataViewField, DataView } from '@kbn/data-views-plugin/public'; -function createMockIndexPattern(fields: IndexPatternField[]): IndexPattern { +function createMockIndexPattern(fields: DataViewField[]): DataView { const indexPattern = { get fields() { return { @@ -19,7 +19,7 @@ function createMockIndexPattern(fields: IndexPatternField[]): IndexPattern { }, }; - return indexPattern as unknown as IndexPattern; + return indexPattern as unknown as DataView; } describe('getDocValueAndSourceFields', () => { @@ -29,7 +29,7 @@ describe('getDocValueAndSourceFields', () => { { name: 'foobar', runtimeField: { type: 'keyword' }, - } as IndexPatternField, + } as DataViewField, ]), ['foobar'], 'epoch_millis' diff --git a/x-pack/plugins/maps/public/classes/tooltips/es_tooltip_property.test.ts b/x-pack/plugins/maps/public/classes/tooltips/es_tooltip_property.test.ts index 385d4254d804d..54a3ca16317b5 100644 --- a/x-pack/plugins/maps/public/classes/tooltips/es_tooltip_property.test.ts +++ b/x-pack/plugins/maps/public/classes/tooltips/es_tooltip_property.test.ts @@ -5,7 +5,7 @@ * 2.0. */ -import type { IndexPatternField, IndexPattern } from '@kbn/data-plugin/public'; +import type { DataViewField, DataView } from '@kbn/data-views-plugin/public'; import { ESTooltipProperty } from './es_tooltip_property'; import { TooltipProperty } from './tooltip_property'; import { AbstractField } from '../fields/field'; @@ -25,7 +25,7 @@ const indexPatternField = { searchable: true, aggregatable: true, readFromDocValues: false, -} as IndexPatternField; +} as DataViewField; const featurePropertyField = new MockField({ fieldName: 'machine.os', @@ -41,7 +41,7 @@ const nonFilterableIndexPatternField = { searchable: true, aggregatable: true, readFromDocValues: false, -} as IndexPatternField; +} as DataViewField; const nonFilterableFeaturePropertyField = new MockField({ fieldName: 'location', @@ -51,7 +51,7 @@ const nonFilterableFeaturePropertyField = new MockField({ const indexPattern = { id: 'indexPatternId', fields: { - getByName: (name: string): IndexPatternField | null => { + getByName: (name: string): DataViewField | null => { if (name === 'machine.os') { return indexPatternField; } @@ -62,7 +62,7 @@ const indexPattern = { }, }, title: 'my index pattern', -} as IndexPattern; +} as DataView; describe('getESFilters', () => { test('Should return empty array when field does not exist in index pattern', async () => { diff --git a/x-pack/plugins/maps/public/components/geo_field_select.tsx b/x-pack/plugins/maps/public/components/geo_field_select.tsx index a54f3b69f2eb5..d198419525408 100644 --- a/x-pack/plugins/maps/public/components/geo_field_select.tsx +++ b/x-pack/plugins/maps/public/components/geo_field_select.tsx @@ -8,12 +8,12 @@ import React from 'react'; import { i18n } from '@kbn/i18n'; import { EuiFormRow } from '@elastic/eui'; -import type { IndexPatternField } from '@kbn/data-plugin/public'; +import { DataViewField } from '@kbn/data-views-plugin/public'; import { SingleFieldSelect } from './single_field_select'; interface Props { value: string; - geoFields: IndexPatternField[]; + geoFields: DataViewField[]; onChange: (geoFieldName?: string) => void; } diff --git a/x-pack/plugins/maps/public/components/metrics_editor/metric_editor.tsx b/x-pack/plugins/maps/public/components/metrics_editor/metric_editor.tsx index 65cea345d3d29..42dbfe6107b43 100644 --- a/x-pack/plugins/maps/public/components/metrics_editor/metric_editor.tsx +++ b/x-pack/plugins/maps/public/components/metrics_editor/metric_editor.tsx @@ -11,7 +11,7 @@ import { i18n } from '@kbn/i18n'; import { EuiButtonEmpty, EuiComboBoxOptionOption, EuiFieldText, EuiFormRow } from '@elastic/eui'; import { FormattedMessage } from '@kbn/i18n-react'; -import type { IndexPatternField } from '@kbn/data-plugin/public'; +import { DataViewField } from '@kbn/data-views-plugin/public'; import { MetricSelect } from './metric_select'; import { SingleFieldSelect } from '../single_field_select'; import { AggDescriptor } from '../../../common/descriptor_types'; @@ -19,7 +19,7 @@ import { AGG_TYPE, DEFAULT_PERCENTILE } from '../../../common/constants'; import { getTermsFields } from '../../index_pattern_util'; import { ValidatedNumberInput } from '../validated_number_input'; -function filterFieldsForAgg(fields: IndexPatternField[], aggType: AGG_TYPE) { +function filterFieldsForAgg(fields: DataViewField[], aggType: AGG_TYPE) { if (!fields) { return []; } @@ -40,7 +40,7 @@ function filterFieldsForAgg(fields: IndexPatternField[], aggType: AGG_TYPE) { interface Props { metric: AggDescriptor; - fields: IndexPatternField[]; + fields: DataViewField[]; onChange: (metric: AggDescriptor) => void; onRemove: () => void; metricsFilter?: (metricOption: EuiComboBoxOptionOption) => boolean; diff --git a/x-pack/plugins/maps/public/components/metrics_editor/metrics_editor.tsx b/x-pack/plugins/maps/public/components/metrics_editor/metrics_editor.tsx index 2ecc61f9c3e82..b38e20b40d990 100644 --- a/x-pack/plugins/maps/public/components/metrics_editor/metrics_editor.tsx +++ b/x-pack/plugins/maps/public/components/metrics_editor/metrics_editor.tsx @@ -8,7 +8,7 @@ import React, { Component, Fragment } from 'react'; import { FormattedMessage } from '@kbn/i18n-react'; import { EuiButtonEmpty, EuiComboBoxOptionOption, EuiSpacer, EuiTextAlign } from '@elastic/eui'; -import type { IndexPatternField } from '@kbn/data-plugin/public'; +import { DataViewField } from '@kbn/data-views-plugin/public'; import { MetricEditor } from './metric_editor'; import { DEFAULT_METRIC } from '../../classes/sources/es_agg_source'; import { AggDescriptor, FieldedAggDescriptor } from '../../../common/descriptor_types'; @@ -23,7 +23,7 @@ export function isMetricValid(aggDescriptor: AggDescriptor) { interface Props { allowMultipleMetrics: boolean; metrics: AggDescriptor[]; - fields: IndexPatternField[]; + fields: DataViewField[]; onChange: (metrics: AggDescriptor[]) => void; metricsFilter?: (metricOption: EuiComboBoxOptionOption) => boolean; } diff --git a/x-pack/plugins/maps/public/components/single_field_select.tsx b/x-pack/plugins/maps/public/components/single_field_select.tsx index 835fc99d931f3..298e866ae3bed 100644 --- a/x-pack/plugins/maps/public/components/single_field_select.tsx +++ b/x-pack/plugins/maps/public/components/single_field_select.tsx @@ -18,19 +18,19 @@ import { EuiToolTip, } from '@elastic/eui'; import { FieldIcon } from '@kbn/react-field'; -import { IndexPatternField } from '@kbn/data-plugin/public'; +import { DataViewField } from '@kbn/data-views-plugin/public'; function fieldsToOptions( - fields?: IndexPatternField[], - isFieldDisabled?: (field: IndexPatternField) => boolean -): Array> { + fields?: DataViewField[], + isFieldDisabled?: (field: DataViewField) => boolean +): Array> { if (!fields) { return []; } return fields .map((field) => { - const option: EuiComboBoxOptionOption = { + const option: EuiComboBoxOptionOption = { value: field, label: field.displayName ? field.displayName : field.name, }; @@ -45,14 +45,14 @@ function fieldsToOptions( } type Props = Omit< - EuiComboBoxProps, + EuiComboBoxProps, 'isDisabled' | 'onChange' | 'options' | 'renderOption' | 'selectedOptions' | 'singleSelection' > & { - fields?: IndexPatternField[]; + fields?: DataViewField[]; onChange: (fieldName?: string) => void; value: string | null; // index pattern field name - isFieldDisabled?: (field: IndexPatternField) => boolean; - getFieldDisabledReason?: (field: IndexPatternField) => string | null; + isFieldDisabled?: (field: DataViewField) => boolean; + getFieldDisabledReason?: (field: DataViewField) => string | null; }; export function SingleFieldSelect({ @@ -64,7 +64,7 @@ export function SingleFieldSelect({ ...rest }: Props) { function renderOption( - option: EuiComboBoxOptionOption, + option: EuiComboBoxOptionOption, searchValue: string, contentClassName: string ) { @@ -91,13 +91,13 @@ export function SingleFieldSelect({ ); } - const onSelection = (selectedOptions: Array>) => { + const onSelection = (selectedOptions: Array>) => { onChange(_.get(selectedOptions, '0.value.name')); }; - const selectedOptions: Array> = []; + const selectedOptions: Array> = []; if (value && fields) { - const selectedField = fields.find((field: IndexPatternField) => { + const selectedField = fields.find((field: DataViewField) => { return field.name === value; }); if (selectedField) { diff --git a/x-pack/plugins/maps/public/connected_components/edit_layer_panel/join_editor/resources/join_expression.tsx b/x-pack/plugins/maps/public/connected_components/edit_layer_panel/join_editor/resources/join_expression.tsx index 8a0cc5de6f373..553e30e3194f3 100644 --- a/x-pack/plugins/maps/public/connected_components/edit_layer_panel/join_editor/resources/join_expression.tsx +++ b/x-pack/plugins/maps/public/connected_components/edit_layer_panel/join_editor/resources/join_expression.tsx @@ -18,7 +18,7 @@ import { } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; -import { IndexPatternField } from '@kbn/data-plugin/public'; +import { DataViewField } from '@kbn/data-views-plugin/public'; import { FormattedMessage } from '@kbn/i18n-react'; import { getDataViewSelectPlaceholder } from '../../../../../common/i18n_getters'; import { DEFAULT_MAX_BUCKETS_LIMIT } from '../../../../../common/constants'; @@ -55,7 +55,7 @@ interface Props { // Right field props rightValue: string; rightSize?: number; - rightFields: IndexPatternField[]; + rightFields: DataViewField[]; onRightFieldChange: (term?: string) => void; onRightSizeChange: (size: number) => void; } diff --git a/x-pack/plugins/maps/public/connected_components/edit_layer_panel/join_editor/resources/metrics_expression.tsx b/x-pack/plugins/maps/public/connected_components/edit_layer_panel/join_editor/resources/metrics_expression.tsx index 01475054da145..b809ba5f6128d 100644 --- a/x-pack/plugins/maps/public/connected_components/edit_layer_panel/join_editor/resources/metrics_expression.tsx +++ b/x-pack/plugins/maps/public/connected_components/edit_layer_panel/join_editor/resources/metrics_expression.tsx @@ -15,7 +15,7 @@ import { EuiFormHelpText, } from '@elastic/eui'; -import { IndexPatternField } from '@kbn/data-plugin/public'; +import { DataViewField } from '@kbn/data-views-plugin/public'; import { FormattedMessage } from '@kbn/i18n-react'; import { MetricsEditor } from '../../../../components/metrics_editor'; import { AGG_TYPE } from '../../../../../common/constants'; @@ -23,7 +23,7 @@ import { AggDescriptor, FieldedAggDescriptor } from '../../../../../common/descr interface Props { metrics: AggDescriptor[]; - rightFields: IndexPatternField[]; + rightFields: DataViewField[]; onChange: (metrics: AggDescriptor[]) => void; } diff --git a/x-pack/plugins/maps/public/index_pattern_util.test.ts b/x-pack/plugins/maps/public/index_pattern_util.test.ts index 52c91e05e6132..74cc29320e3dd 100644 --- a/x-pack/plugins/maps/public/index_pattern_util.test.ts +++ b/x-pack/plugins/maps/public/index_pattern_util.test.ts @@ -14,18 +14,18 @@ import { supportsGeoTileAgg, } from './index_pattern_util'; import { ES_GEO_FIELD_TYPE } from '../common/constants'; -import { IndexPatternField } from '@kbn/data-plugin/public'; +import { DataViewField } from '@kbn/data-views-plugin/public'; describe('getSourceFields', () => { test('Should remove multi fields from field list', () => { - const agent = new IndexPatternField({ + const agent = new DataViewField({ name: 'agent', searchable: true, aggregatable: true, type: 'string', }); - const agentKeyword = new IndexPatternField({ + const agentKeyword = new DataViewField({ name: 'agent.keyword', subType: { multi: { @@ -52,7 +52,7 @@ describe('Gold+ licensing', () => { name: 'location', type: 'geo_point', aggregatable: true, - } as IndexPatternField, + } as DataViewField, supportedInBasic: true, supportedInGold: true, }, @@ -61,7 +61,7 @@ describe('Gold+ licensing', () => { name: 'location', type: 'geo_shape', aggregatable: false, - } as IndexPatternField, + } as DataViewField, supportedInBasic: false, supportedInGold: false, }, @@ -70,7 +70,7 @@ describe('Gold+ licensing', () => { name: 'location', type: 'geo_shape', aggregatable: true, - } as IndexPatternField, + } as DataViewField, supportedInBasic: false, supportedInGold: true, }, diff --git a/x-pack/plugins/maps/public/lazy_load_bundle/index.ts b/x-pack/plugins/maps/public/lazy_load_bundle/index.ts index e65e4599d52c3..cbd1b3aa4b4c8 100644 --- a/x-pack/plugins/maps/public/lazy_load_bundle/index.ts +++ b/x-pack/plugins/maps/public/lazy_load_bundle/index.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { IndexPatternsContract } from '@kbn/data-plugin/public'; +import { DataViewsContract } from '@kbn/data-views-plugin/common'; import { AppMountParameters } from '@kbn/core/public'; import { IContainer } from '@kbn/embeddable-plugin/public'; import { LayerDescriptor } from '../../common/descriptor_types'; @@ -27,7 +27,7 @@ export interface LazyLoadedMapModules { initialInput: MapEmbeddableInput, parent?: IContainer ) => MapEmbeddableType; - getIndexPatternService: () => IndexPatternsContract; + getIndexPatternService: () => DataViewsContract; getMapsCapabilities: () => any; renderApp: (params: AppMountParameters, AppUsageTracker: React.FC) => Promise<() => void>; createSecurityLayerDescriptors: ( diff --git a/x-pack/plugins/maps/server/data_indexing/indexing_routes.ts b/x-pack/plugins/maps/server/data_indexing/indexing_routes.ts index 7f2eacc257fc5..847aadb447034 100644 --- a/x-pack/plugins/maps/server/data_indexing/indexing_routes.ts +++ b/x-pack/plugins/maps/server/data_indexing/indexing_routes.ts @@ -51,7 +51,7 @@ export function initIndexingRoutes({ async (context, request, response) => { const coreContext = await context.core; const { index, mappings } = request.body; - const indexPatternsService = await dataPlugin.indexPatterns.indexPatternsServiceFactory( + const indexPatternsService = await dataPlugin.indexPatterns.dataViewsServiceFactory( coreContext.savedObjects.client, coreContext.elasticsearch.client.asCurrentUser, request diff --git a/x-pack/plugins/maps/server/kibana_server_services.ts b/x-pack/plugins/maps/server/kibana_server_services.ts index b1dab885ed627..84cedeb721824 100644 --- a/x-pack/plugins/maps/server/kibana_server_services.ts +++ b/x-pack/plugins/maps/server/kibana_server_services.ts @@ -20,5 +20,5 @@ export const getSavedObjectClient = (extraTypes?: string[]) => { }; export const getIndexPatternsServiceFactory = () => - pluginsStart.data.indexPatterns.indexPatternsServiceFactory; + pluginsStart.data.indexPatterns.dataViewsServiceFactory; export const getElasticsearch = () => coreStart.elasticsearch; diff --git a/x-pack/plugins/ml/public/application/components/ml_page/ml_page.tsx b/x-pack/plugins/ml/public/application/components/ml_page/ml_page.tsx index d41ca59255467..7602da6a6c4e3 100644 --- a/x-pack/plugins/ml/public/application/components/ml_page/ml_page.tsx +++ b/x-pack/plugins/ml/public/application/components/ml_page/ml_page.tsx @@ -8,7 +8,7 @@ import React, { createContext, FC, useCallback, useMemo, useReducer } from 'react'; import { EuiLoadingContent, EuiPageContentBody } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; -import { Route } from 'react-router-dom'; +import { Redirect, Route, Switch } from 'react-router-dom'; import type { AppMountParameters } from '@kbn/core/public'; import { KibanaPageTemplate, RedirectAppLinks } from '@kbn/kibana-react-plugin/public'; import { useSideNavItems } from './side_nav'; @@ -137,25 +137,28 @@ const CommonPageWrapper: FC = React.memo( value={{ setPageTitle, setHeaderActionMenu: pageDeps.setHeaderActionMenu }} > - {routeList.map((route) => { - return ( - { - window.setTimeout(() => { - pageDeps.setBreadcrumbs(route.breadcrumbs); - }); - return ( - - {route.render(props, pageDeps)} - - ); - }} - /> - ); - })} + + {routeList.map((route) => { + return ( + { + window.setTimeout(() => { + pageDeps.setBreadcrumbs(route.breadcrumbs); + }); + return ( + + {route.render(props, pageDeps)} + + ); + }} + /> + ); + })} + + diff --git a/x-pack/plugins/ml/public/application/components/ml_page/side_nav.tsx b/x-pack/plugins/ml/public/application/components/ml_page/side_nav.tsx index 90bba94ee2259..9ddee2348ee39 100644 --- a/x-pack/plugins/ml/public/application/components/ml_page/side_nav.tsx +++ b/x-pack/plugins/ml/public/application/components/ml_page/side_nav.tsx @@ -86,6 +86,7 @@ export function useSideNavItems(activeRoute: MlRoute | undefined) { name: i18n.translate('xpack.ml.navMenu.anomalyDetectionTabLinkText', { defaultMessage: 'Anomaly Detection', }), + disabled: disableLinks, items: [ { id: 'anomaly_detection', diff --git a/x-pack/plugins/ml/public/application/explorer/anomaly_charts_state_service.ts b/x-pack/plugins/ml/public/application/explorer/anomaly_charts_state_service.ts index eaa1572e6fb25..1ffa93344ab03 100644 --- a/x-pack/plugins/ml/public/application/explorer/anomaly_charts_state_service.ts +++ b/x-pack/plugins/ml/public/application/explorer/anomaly_charts_state_service.ts @@ -15,7 +15,7 @@ import { getDefaultChartsData, } from './explorer_charts/explorer_charts_container_service'; import { AnomalyExplorerChartsService } from '../services/anomaly_explorer_charts_service'; -import { getSelectionInfluencers } from './explorer_utils'; +import { getSelectionInfluencers, getSelectionJobIds } from './explorer_utils'; import type { PageUrlStateService } from '../util/url_state'; import type { TableSeverity } from '../components/controls/select_severity/select_severity'; import { AnomalyExplorerUrlStateService } from './hooks/use_explorer_url_state'; @@ -49,12 +49,12 @@ export class AnomalyChartsStateService extends StateService { .subscribe(this._showCharts$) ); - subscription.add(this.initChartDataSubscribtion()); + subscription.add(this.initChartDataSubscription()); return subscription; } - private initChartDataSubscribtion() { + private initChartDataSubscription() { return combineLatest([ this._anomalyExplorerCommonStateService.getSelectedJobs$(), this._anomalyExplorerCommonStateService.getInfluencerFilterQuery$(), @@ -74,7 +74,8 @@ export class AnomalyChartsStateService extends StateService { severityState, ]) => { if (!selectedCells) return of(getDefaultChartsData()); - const jobIds = selectedJobs.map((v) => v.id); + + const jobIds = getSelectionJobIds(selectedCells, selectedJobs); this._isChartsDataLoading$.next(true); const selectionInfluencers = getSelectionInfluencers( diff --git a/x-pack/plugins/ml/public/application/explorer/swimlane_annotation_container.tsx b/x-pack/plugins/ml/public/application/explorer/swimlane_annotation_container.tsx index 91cfac98513e0..262ac0c37f405 100644 --- a/x-pack/plugins/ml/public/application/explorer/swimlane_annotation_container.tsx +++ b/x-pack/plugins/ml/public/application/explorer/swimlane_annotation_container.tsx @@ -126,11 +126,14 @@ export const SwimlaneAnnotationContainer: FC = // Add annotation marker mergedAnnotations.forEach((d) => { const annotationWidth = Math.max( - d.end ? xScale(Math.min(d.end, domain.max)) - Math.max(xScale(d.start), startingXPos) : 0, + d.end + ? (xScale(Math.min(d.end, domain.max)) as number) - + Math.max(xScale(d.start) as number, startingXPos) + : 0, ANNOTATION_MIN_WIDTH ); - const xPos = d.start >= domain.min ? xScale(d.start) : startingXPos; + const xPos = d.start >= domain.min ? (xScale(d.start) as number) : startingXPos; svg .append('rect') .classed('mlAnnotationRect', true) diff --git a/x-pack/plugins/ml/public/application/routing/use_active_route.ts b/x-pack/plugins/ml/public/application/routing/use_active_route.ts deleted file mode 100644 index 9183e45c3d0ae..0000000000000 --- a/x-pack/plugins/ml/public/application/routing/use_active_route.ts +++ /dev/null @@ -1,53 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { useLocation, useRouteMatch } from 'react-router-dom'; -import { keyBy } from 'lodash'; -import { useMemo } from 'react'; -import { useExecutionContext } from '@kbn/kibana-react-plugin/public'; -import { useMlKibana } from '../contexts/kibana'; -import type { MlRoute } from './router'; - -/** - * Provides an active route of the ML app. - * @param routesList - */ -export const useActiveRoute = (routesList: MlRoute[]): MlRoute => { - const { pathname } = useLocation(); - - const { - services: { executionContext }, - } = useMlKibana(); - - /** - * Temp fix for routes with params. - */ - const editCalendarMatch = useRouteMatch('/settings/calendars_list/edit_calendar/:calendarId'); - const editFilterMatch = useRouteMatch('/settings/filter_lists/edit_filter_list/:filterId'); - - const routesMap = useMemo(() => keyBy(routesList, 'path'), []); - - const activeRoute = useMemo(() => { - if (editCalendarMatch) { - return routesMap[editCalendarMatch.path]; - } - if (editFilterMatch) { - return routesMap[editFilterMatch.path]; - } - // Remove trailing slash from the pathname - const pathnameKey = pathname.replace(/\/$/, ''); - return routesMap[pathnameKey] ?? routesMap['/overview']; - }, [pathname]); - - useExecutionContext(executionContext, { - name: 'Machine Learning', - type: 'application', - page: activeRoute?.path, - }); - - return activeRoute; -}; diff --git a/x-pack/plugins/ml/public/application/routing/use_active_route.tsx b/x-pack/plugins/ml/public/application/routing/use_active_route.tsx new file mode 100644 index 0000000000000..73651549238a4 --- /dev/null +++ b/x-pack/plugins/ml/public/application/routing/use_active_route.tsx @@ -0,0 +1,99 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { useLocation, useRouteMatch } from 'react-router-dom'; +import { keyBy } from 'lodash'; +import React, { useEffect, useMemo, useRef } from 'react'; +import { toMountPoint, useExecutionContext } from '@kbn/kibana-react-plugin/public'; +import { EuiCallOut } from '@elastic/eui'; +import { FormattedMessage } from '@kbn/i18n-react'; +import { useMlKibana } from '../contexts/kibana'; +import type { MlRoute } from './router'; + +/** + * Provides an active route of the ML app. + * @param routesList + */ +export const useActiveRoute = (routesList: MlRoute[]): MlRoute => { + const { pathname } = useLocation(); + + const { + services: { executionContext, overlays, theme }, + } = useMlKibana(); + + /** + * Temp fix for routes with params. + */ + const editCalendarMatch = useRouteMatch('/settings/calendars_list/edit_calendar/:calendarId'); + const editFilterMatch = useRouteMatch('/settings/filter_lists/edit_filter_list/:filterId'); + + const routesMap = useMemo(() => keyBy(routesList, 'path'), []); + + const activeRoute = useMemo(() => { + if (editCalendarMatch) { + return routesMap[editCalendarMatch.path]; + } + if (editFilterMatch) { + return routesMap[editFilterMatch.path]; + } + // Remove trailing slash from the pathname + const pathnameKey = pathname.replace(/\/$/, ''); + return routesMap[pathnameKey]; + }, [pathname]); + + const bannerId = useRef(); + + useEffect( + function handleNotFoundRoute() { + if (!activeRoute && !!pathname) { + bannerId.current = overlays.banners.replace( + bannerId.current, + toMountPoint( + + } + data-test-subj={'mlPageNotFoundBanner'} + > +

+ +

+ , + { theme$: theme.theme$ } + ) + ); + + // hide the message after the user has had a chance to acknowledge it -- so it doesn't permanently stick around + setTimeout(() => { + if (bannerId.current) { + overlays.banners.remove(bannerId.current); + } + }, 15000); + } + }, + [activeRoute, overlays, theme, pathname] + ); + + useExecutionContext(executionContext, { + name: 'Machine Learning', + type: 'application', + page: activeRoute?.path ?? '/overview', + }); + + return activeRoute ?? routesMap['/overview']; +}; diff --git a/x-pack/plugins/monitoring/server/routes/index.ts b/x-pack/plugins/monitoring/server/routes/index.ts index bb137bdf70193..32f2f06188d95 100644 --- a/x-pack/plugins/monitoring/server/routes/index.ts +++ b/x-pack/plugins/monitoring/server/routes/index.ts @@ -32,14 +32,14 @@ export function requireUIRoutes( : server; registerV1AlertRoutes(decoratedServer, npRoute); - registerV1ApmRoutes(server); - registerV1BeatsRoutes(server); - registerV1CheckAccessRoutes(server); - registerV1ClusterRoutes(server); - registerV1ElasticsearchRoutes(server); - registerV1ElasticsearchSettingsRoutes(server, npRoute); - registerV1EnterpriseSearchRoutes(server); - registerV1LogstashRoutes(server); - registerV1SetupRoutes(server); - registerV1KibanaRoutes(server); + registerV1ApmRoutes(decoratedServer); + registerV1BeatsRoutes(decoratedServer); + registerV1CheckAccessRoutes(decoratedServer); + registerV1ClusterRoutes(decoratedServer); + registerV1ElasticsearchRoutes(decoratedServer); + registerV1ElasticsearchSettingsRoutes(decoratedServer, npRoute); + registerV1EnterpriseSearchRoutes(decoratedServer); + registerV1LogstashRoutes(decoratedServer); + registerV1SetupRoutes(decoratedServer); + registerV1KibanaRoutes(decoratedServer); } diff --git a/x-pack/plugins/observability/public/components/app/section/ux/index.tsx b/x-pack/plugins/observability/public/components/app/section/ux/index.tsx index da5bffd6cb186..f42db26b1e7d0 100644 --- a/x-pack/plugins/observability/public/components/app/section/ux/index.tsx +++ b/x-pack/plugins/observability/public/components/app/section/ux/index.tsx @@ -50,6 +50,7 @@ export function UXSection({ bucketSize }: Props) { breakdown: SERVICE_NAME, dataType: 'ux' as AppDataType, selectedMetricField: TRANSACTION_DURATION, + showPercentileAnnotations: false, }, ]; diff --git a/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/constants/url_constants.ts b/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/constants/url_constants.ts index 32ac0b91b830b..df2f31481016d 100644 --- a/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/constants/url_constants.ts +++ b/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/constants/url_constants.ts @@ -16,6 +16,7 @@ export enum URL_KEYS { HIDDEN = 'h', NAME = 'n', COLOR = 'c', + SHOW_PERCENTILE_ANNOTATIONS = 'spa', } export const ALL_VALUES_SELECTED = 'ALL_VALUES'; diff --git a/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/lens_attributes.test.ts b/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/lens_attributes.test.ts index adbd160f761e4..3c0e84b6cafed 100644 --- a/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/lens_attributes.test.ts +++ b/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/lens_attributes.test.ts @@ -19,6 +19,7 @@ import { buildExistsFilter, buildPhrasesFilter } from './utils'; import { sampleAttributeKpi } from './test_data/sample_attribute_kpi'; import { RECORDS_FIELD, REPORT_METRIC_FIELD, PERCENTILE_RANKS, ReportTypes } from './constants'; import { obsvReportConfigMap } from '../obsv_exploratory_view'; +import { sampleAttributeWithReferenceLines } from './test_data/sample_attribute_with_reference_lines'; describe('Lens Attribute', () => { mockAppDataView(); @@ -124,6 +125,7 @@ describe('Lens Attribute', () => { }, ...PERCENTILE_RANKS.reduce((acc: Record, rank, index) => { acc[`y-axis-column-${index === 0 ? 'layer' + index : index}`] = { + customLabel: true, dataType: 'number', filter: { language: 'kuery', @@ -145,6 +147,7 @@ describe('Lens Attribute', () => { it('should return main y axis', function () { expect(lnsAttr.getMainYAxis(layerConfig, 'layer0', '')).toEqual({ + customLabel: true, dataType: 'number', isBucketed: false, label: 'Pages loaded', @@ -159,7 +162,7 @@ describe('Lens Attribute', () => { formula: 'count() / overall_sum(count())', isFormulaBroken: false, }, - references: ['y-axis-column-layer0X4'], + references: ['y-axis-column-layer0X3'], scale: 'ratio', }); }); @@ -197,6 +200,7 @@ describe('Lens Attribute', () => { }, fieldName: 'transaction.duration.us', columnLabel: 'Page load time', + showPercentileAnnotations: true, }) ); }); @@ -230,6 +234,7 @@ describe('Lens Attribute', () => { }, fieldName: TRANSACTION_DURATION, columnLabel: 'Page load time', + showPercentileAnnotations: true, }) ); }); @@ -339,135 +344,7 @@ describe('Lens Attribute', () => { }); it('should return first layer', function () { - expect(lnsAttr.getLayers()).toEqual({ - layer0: { - columnOrder: [ - 'x-axis-column-layer0', - 'y-axis-column-layer0', - 'y-axis-column-layer0X0', - 'y-axis-column-layer0X1', - 'y-axis-column-layer0X2', - 'y-axis-column-layer0X3', - 'y-axis-column-layer0X4', - ], - columns: { - 'x-axis-column-layer0': { - dataType: 'number', - isBucketed: true, - label: 'Page load time', - operationType: 'range', - params: { - maxBars: 'auto', - ranges: [ - { - from: 0, - label: '', - to: 1000, - }, - ], - type: 'histogram', - }, - scale: 'interval', - sourceField: 'transaction.duration.us', - }, - 'y-axis-column-layer0': { - dataType: 'number', - filter: { - language: 'kuery', - query: - 'transaction.type: page-load and processor.event: transaction and transaction.type : *', - }, - isBucketed: false, - label: 'Pages loaded', - operationType: 'formula', - params: { - format: { - id: 'percent', - params: { - decimals: 0, - }, - }, - formula: - "count(kql='transaction.type: page-load and processor.event: transaction and transaction.type : *') / overall_sum(count(kql='transaction.type: page-load and processor.event: transaction and transaction.type : *'))", - isFormulaBroken: false, - }, - references: ['y-axis-column-layer0X4'], - scale: 'ratio', - }, - 'y-axis-column-layer0X0': { - customLabel: true, - dataType: 'number', - filter: { - language: 'kuery', - query: - 'transaction.type: page-load and processor.event: transaction and transaction.type : *', - }, - isBucketed: false, - label: 'Part of count() / overall_sum(count())', - operationType: 'count', - scale: 'ratio', - sourceField: RECORDS_FIELD, - }, - 'y-axis-column-layer0X1': { - customLabel: true, - dataType: 'number', - filter: { - language: 'kuery', - query: - 'transaction.type: page-load and processor.event: transaction and transaction.type : *', - }, - isBucketed: false, - label: 'Part of count() / overall_sum(count())', - operationType: 'count', - scale: 'ratio', - sourceField: RECORDS_FIELD, - }, - 'y-axis-column-layer0X2': { - customLabel: true, - dataType: 'number', - isBucketed: false, - label: 'Part of count() / overall_sum(count())', - operationType: 'math', - params: { - tinymathAst: 'y-axis-column-layer0X1', - }, - references: ['y-axis-column-layer0X1'], - scale: 'ratio', - }, - 'y-axis-column-layer0X3': { - customLabel: true, - dataType: 'number', - isBucketed: false, - label: 'Part of count() / overall_sum(count())', - operationType: 'overall_sum', - references: ['y-axis-column-layer0X2'], - scale: 'ratio', - }, - 'y-axis-column-layer0X4': { - customLabel: true, - dataType: 'number', - isBucketed: false, - label: 'Part of count() / overall_sum(count())', - operationType: 'math', - params: { - tinymathAst: { - args: ['y-axis-column-layer0X0', 'y-axis-column-layer0X3'], - location: { - max: 30, - min: 0, - }, - name: 'divide', - text: "count(kql='transaction.type: page-load and processor.event: transaction and transaction.type : *') / overall_sum(count(kql='transaction.type: page-load and processor.event: transaction and transaction.type : *'))", - type: 'function', - }, - }, - references: ['y-axis-column-layer0X0', 'y-axis-column-layer0X3'], - scale: 'ratio', - }, - }, - incompleteColumns: {}, - }, - }); + expect(lnsAttr.getLayers()).toEqual(sampleAttribute.state.datasourceStates.indexpattern.layers); }); it('should return expected XYState', function () { @@ -486,6 +363,59 @@ describe('Lens Attribute', () => { xAccessor: 'x-axis-column-layer0', yConfig: [{ color: 'green', forAccessor: 'y-axis-column-layer0', axisMode: 'left' }], }, + { + accessors: [ + '50th-percentile-reference-line-layer0-reference-lines', + '75th-percentile-reference-line-layer0-reference-lines', + '90th-percentile-reference-line-layer0-reference-lines', + '95th-percentile-reference-line-layer0-reference-lines', + '99th-percentile-reference-line-layer0-reference-lines', + ], + layerId: 'layer0-reference-lines', + layerType: 'referenceLine', + yConfig: [ + { + axisMode: 'bottom', + color: '#6092C0', + forAccessor: '50th-percentile-reference-line-layer0-reference-lines', + lineStyle: 'solid', + lineWidth: 2, + textVisibility: true, + }, + { + axisMode: 'bottom', + color: '#6092C0', + forAccessor: '75th-percentile-reference-line-layer0-reference-lines', + lineStyle: 'solid', + lineWidth: 2, + textVisibility: true, + }, + { + axisMode: 'bottom', + color: '#6092C0', + forAccessor: '90th-percentile-reference-line-layer0-reference-lines', + lineStyle: 'solid', + lineWidth: 2, + textVisibility: true, + }, + { + axisMode: 'bottom', + color: '#6092C0', + forAccessor: '95th-percentile-reference-line-layer0-reference-lines', + lineStyle: 'solid', + lineWidth: 2, + textVisibility: true, + }, + { + axisMode: 'bottom', + color: '#6092C0', + forAccessor: '99th-percentile-reference-line-layer0-reference-lines', + lineStyle: 'solid', + lineWidth: 2, + textVisibility: true, + }, + ], + }, ], legend: { isVisible: true, showSingleSeries: true, position: 'right' }, preferredSeriesType: 'line', @@ -514,7 +444,7 @@ describe('Lens Attribute', () => { time: { from: 'now-15m', to: 'now' }, color: 'green', name: 'test-series', - selectedMetricField: TRANSACTION_DURATION, + selectedMetricField: LCP_FIELD, }; lnsAttr = new LensAttributes([layerConfig1], reportViewConfig.reportType); @@ -549,7 +479,6 @@ describe('Lens Attribute', () => { 'y-axis-column-layer0X1', 'y-axis-column-layer0X2', 'y-axis-column-layer0X3', - 'y-axis-column-layer0X4', ], columns: { 'breakdown-column-layer0': { @@ -572,7 +501,7 @@ describe('Lens Attribute', () => { 'x-axis-column-layer0': { dataType: 'number', isBucketed: true, - label: 'Page load time', + label: 'Largest contentful paint', operationType: 'range', params: { maxBars: 'auto', @@ -586,9 +515,10 @@ describe('Lens Attribute', () => { type: 'histogram', }, scale: 'interval', - sourceField: 'transaction.duration.us', + sourceField: LCP_FIELD, }, 'y-axis-column-layer0': { + customLabel: true, dataType: 'number', filter: { language: 'kuery', @@ -609,7 +539,7 @@ describe('Lens Attribute', () => { "count(kql='transaction.type: page-load and processor.event: transaction and transaction.type : *') / overall_sum(count(kql='transaction.type: page-load and processor.event: transaction and transaction.type : *'))", isFormulaBroken: false, }, - references: ['y-axis-column-layer0X4'], + references: ['y-axis-column-layer0X3'], scale: 'ratio', }, 'y-axis-column-layer0X0': { @@ -645,23 +575,11 @@ describe('Lens Attribute', () => { dataType: 'number', isBucketed: false, label: 'Part of count() / overall_sum(count())', - operationType: 'math', - params: { - tinymathAst: 'y-axis-column-layer0X1', - }, + operationType: 'overall_sum', references: ['y-axis-column-layer0X1'], scale: 'ratio', }, 'y-axis-column-layer0X3': { - customLabel: true, - dataType: 'number', - isBucketed: false, - label: 'Part of count() / overall_sum(count())', - operationType: 'overall_sum', - references: ['y-axis-column-layer0X2'], - scale: 'ratio', - }, - 'y-axis-column-layer0X4': { customLabel: true, dataType: 'number', isBucketed: false, @@ -669,7 +587,7 @@ describe('Lens Attribute', () => { operationType: 'math', params: { tinymathAst: { - args: ['y-axis-column-layer0X0', 'y-axis-column-layer0X3'], + args: ['y-axis-column-layer0X0', 'y-axis-column-layer0X2'], location: { max: 30, min: 0, @@ -679,7 +597,7 @@ describe('Lens Attribute', () => { type: 'function', }, }, - references: ['y-axis-column-layer0X0', 'y-axis-column-layer0X3'], + references: ['y-axis-column-layer0X0', 'y-axis-column-layer0X2'], scale: 'ratio', }, }, @@ -713,4 +631,25 @@ describe('Lens Attribute', () => { ); }); }); + + describe('Reference line layers', function () { + it('should return expected reference lines', function () { + const layerConfig1: LayerConfig = { + seriesConfig: reportViewConfig, + seriesType: 'line', + indexPattern: mockDataView, + reportDefinitions: {}, + time: { from: 'now-15m', to: 'now' }, + color: 'green', + name: 'test-series', + selectedMetricField: TRANSACTION_DURATION, + }; + + lnsAttr = new LensAttributes([layerConfig1], reportViewConfig.reportType); + + const attributes = lnsAttr.getJSON(); + + expect(attributes).toEqual(sampleAttributeWithReferenceLines); + }); + }); }); diff --git a/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/lens_attributes.ts b/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/lens_attributes.ts index 2d15cb608d765..65daef7ac85f6 100644 --- a/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/lens_attributes.ts +++ b/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/lens_attributes.ts @@ -9,37 +9,37 @@ import { i18n } from '@kbn/i18n'; import { capitalize } from 'lodash'; import { ExistsFilter, isExistsFilter } from '@kbn/es-query'; import { + AvgIndexPatternColumn, + CardinalityIndexPatternColumn, CountIndexPatternColumn, + DataType, DateHistogramIndexPatternColumn, - AvgIndexPatternColumn, + FieldBasedIndexPatternColumn, + FiltersIndexPatternColumn, MedianIndexPatternColumn, + OperationMetadata, + OperationType, PercentileIndexPatternColumn, LastValueIndexPatternColumn, - OperationType, PersistedIndexPatternLayer, RangeIndexPatternColumn, SeriesType, - TypedLensByValueInput, - XYState, - XYCurveType, - DataType, - OperationMetadata, - FieldBasedIndexPatternColumn, SumIndexPatternColumn, TermsIndexPatternColumn, - CardinalityIndexPatternColumn, - FiltersIndexPatternColumn, + TypedLensByValueInput, + XYCurveType, + XYState, } from '@kbn/lens-plugin/public'; import type { DataView } from '@kbn/data-views-plugin/common'; import { PersistableFilter } from '@kbn/lens-plugin/common'; import { urlFiltersToKueryString } from '../utils/stringify_kueries'; import { FILTER_RECORDS, - USE_BREAK_DOWN_COLUMN, - TERMS_COLUMN, - REPORT_METRIC_FIELD, RECORDS_FIELD, RECORDS_PERCENTAGE_FIELD, + REPORT_METRIC_FIELD, + TERMS_COLUMN, + USE_BREAK_DOWN_COLUMN, PERCENTILE, PERCENTILE_RANKS, ReportTypes, @@ -75,6 +75,7 @@ export const parseCustomFieldName = (seriesConfig: SeriesConfig, selectedMetricF let timeScale; let columnLabel; let columnField; + let showPercentileAnnotations; const metricOptions = seriesConfig.metricOptions ?? []; @@ -88,6 +89,7 @@ export const parseCustomFieldName = (seriesConfig: SeriesConfig, selectedMetricF columnFilter = currField?.columnFilter; timeScale = currField?.timeScale; columnLabel = currField?.label; + showPercentileAnnotations = currField?.showPercentileAnnotations; paramFilters = currField?.paramFilters; columnField = currField?.field; } @@ -102,6 +104,7 @@ export const parseCustomFieldName = (seriesConfig: SeriesConfig, selectedMetricF columnLabel, columnFilter, columnField, + showPercentileAnnotations, }; }; @@ -117,6 +120,7 @@ export interface LayerConfig { selectedMetricField: string; color: string; name: string; + showPercentileAnnotations?: boolean; } export class LensAttributes { @@ -124,11 +128,20 @@ export class LensAttributes { visualization?: XYState; layerConfigs: LayerConfig[] = []; isMultiSeries?: boolean; + seriesReferenceLines: Record< + string, + { + layerData: PersistedIndexPatternLayer; + layerState: XYState['layers']; + indexPattern: DataView; + } + >; globalFilter?: { query: string; language: string }; reportType: string; constructor(layerConfigs: LayerConfig[], reportType: string) { this.layers = {}; + this.seriesReferenceLines = {}; this.reportType = reportType; layerConfigs.forEach(({ seriesConfig, operationType }) => { @@ -373,6 +386,7 @@ export class LensAttributes { getPercentileBreakdowns( layerConfig: LayerConfig, + layerId: string, columnFilter?: string ): Record { const yAxisColumns = layerConfig.seriesConfig.yAxisColumns; @@ -387,6 +401,7 @@ export class LensAttributes { operationType: PERCENTILE_RANKS[i], label: mainLabel, layerConfig, + layerId, colIndex: i, }), filter: { query: columnFilter || '', language: 'kuery' }, @@ -408,6 +423,7 @@ export class LensAttributes { }), operationType: 'percentile', params: getPercentileParam(percentileValue), + customLabel: true, }; } @@ -468,6 +484,7 @@ export class LensAttributes { return this.getColumnBasedOnType({ layerConfig, + layerId, label: xAxisColumn.label, sourceField: xAxisColumn.sourceField, }); @@ -479,16 +496,29 @@ export class LensAttributes { layerConfig, operationType, colIndex, + layerId, }: { sourceField: string; operationType?: OperationType; label?: string; + layerId: string; layerConfig: LayerConfig; colIndex?: number; }) { const { breakdown, seriesConfig } = layerConfig; - const { fieldMeta, columnType, fieldName, columnLabel, timeScale, columnFilters } = - this.getFieldMeta(sourceField, layerConfig); + const { + fieldMeta, + columnType, + fieldName, + columnLabel, + timeScale, + columnFilters, + showPercentileAnnotations, + } = this.getFieldMeta(sourceField, layerConfig); + + if (showPercentileAnnotations) { + this.addThresholdLayer(fieldName, layerId, layerConfig); + } const { type: fieldType } = fieldMeta ?? {}; @@ -553,8 +583,15 @@ export class LensAttributes { getFieldMeta(sourceField: string, layerConfig: LayerConfig) { if (sourceField === REPORT_METRIC_FIELD) { - const { fieldName, columnType, columnLabel, columnFilters, timeScale, paramFilters } = - parseCustomFieldName(layerConfig.seriesConfig, layerConfig.selectedMetricField); + const { + fieldName, + columnType, + columnLabel, + columnFilters, + timeScale, + paramFilters, + showPercentileAnnotations, + } = parseCustomFieldName(layerConfig.seriesConfig, layerConfig.selectedMetricField); const fieldMeta = layerConfig.indexPattern.getFieldByName(fieldName!); return { fieldMeta, @@ -564,6 +601,8 @@ export class LensAttributes { columnFilters, timeScale, paramFilters, + showPercentileAnnotations: + layerConfig.showPercentileAnnotations ?? showPercentileAnnotations, }; } else { const fieldMeta = layerConfig.indexPattern.getFieldByName(sourceField); @@ -591,22 +630,28 @@ export class LensAttributes { layerConfig, colIndex: 0, operationType: breakdown === PERCENTILE ? PERCENTILE_RANKS[0] : operationType, + layerId, }); } - getChildYAxises(layerConfig: LayerConfig, layerId?: string, columnFilter?: string) { + getChildYAxises( + layerConfig: LayerConfig, + layerId: string, + columnFilter?: string, + forAccessorsKeys?: boolean + ) { const { breakdown } = layerConfig; const lensColumns: Record = {}; const yAxisColumns = layerConfig.seriesConfig.yAxisColumns; const { sourceField: mainSourceField, label: mainLabel } = yAxisColumns[0]; - if (mainSourceField === RECORDS_PERCENTAGE_FIELD && layerId) { + if (mainSourceField === RECORDS_PERCENTAGE_FIELD && layerId && !forAccessorsKeys) { return getDistributionInPercentageColumn({ label: mainLabel, layerId, columnFilter }) .supportingColumns; } if (yAxisColumns.length === 1 && breakdown === PERCENTILE) { - return this.getPercentileBreakdowns(layerConfig, columnFilter); + return this.getPercentileBreakdowns(layerConfig, layerId, columnFilter); } if (yAxisColumns.length === 1) { @@ -623,6 +668,7 @@ export class LensAttributes { label, layerConfig, colIndex: i, + layerId, }); } return lensColumns; @@ -805,6 +851,10 @@ export class LensAttributes { }; }); + Object.entries(this.seriesReferenceLines).forEach(([id, { layerData }]) => { + layers[id] = layerData; + }); + return layers; } @@ -822,41 +872,118 @@ export class LensAttributes { tickLabelsVisibilitySettings: { x: true, yLeft: true, yRight: true }, gridlinesVisibilitySettings: { x: true, yLeft: true, yRight: true }, preferredSeriesType: 'line', - layers: this.layerConfigs.map((layerConfig, index) => ({ - accessors: [ - `y-axis-column-layer${index}`, - ...Object.keys(this.getChildYAxises(layerConfig)), - ], - layerId: `layer${index}`, - layerType: 'data', - seriesType: layerConfig.seriesType || layerConfig.seriesConfig.defaultSeriesType, - palette: layerConfig.seriesConfig.palette, - yConfig: layerConfig.seriesConfig.yConfig || [ - { - forAccessor: `y-axis-column-layer${index}`, - color: layerConfig.color, - /* if the fields format matches the field format of the first layer, use the default y axis (right) - * if not, use the secondary y axis (left) */ - axisMode: - layerConfig.indexPattern.fieldFormatMap[layerConfig.selectedMetricField]?.id === - this.layerConfigs[0].indexPattern.fieldFormatMap[ - this.layerConfigs[0].selectedMetricField - ]?.id - ? 'left' - : 'right', - }, - ], - xAccessor: `x-axis-column-layer${index}`, - ...(layerConfig.breakdown && - layerConfig.breakdown !== PERCENTILE && - layerConfig.seriesConfig.xAxisColumn.sourceField !== USE_BREAK_DOWN_COLUMN - ? { splitAccessor: `breakdown-column-layer${index}` } - : {}), - })), + layers: this.getDataLayers(), + ...(this.layerConfigs[0].seriesConfig.yTitle + ? { yTitle: this.layerConfigs[0].seriesConfig.yTitle } + : {}), + }; + } + + getDataLayers(): XYState['layers'] { + const dataLayers = this.layerConfigs.map((layerConfig, index) => ({ + accessors: [ + `y-axis-column-layer${index}`, + ...Object.keys(this.getChildYAxises(layerConfig, `layer${index}`, undefined, true)), + ], + layerId: `layer${index}`, + layerType: 'data' as any, + seriesType: layerConfig.seriesType || layerConfig.seriesConfig.defaultSeriesType, + palette: layerConfig.seriesConfig.palette, + yConfig: layerConfig.seriesConfig.yConfig || [ + { + forAccessor: `y-axis-column-layer${index}`, + color: layerConfig.color, + /* if the fields format matches the field format of the first layer, use the default y axis (right) + * if not, use the secondary y axis (left) */ + axisMode: + layerConfig.indexPattern.fieldFormatMap[layerConfig.selectedMetricField]?.id === + this.layerConfigs[0].indexPattern.fieldFormatMap[ + this.layerConfigs[0].selectedMetricField + ]?.id + ? 'left' + : 'right', + }, + ], + xAccessor: `x-axis-column-layer${index}`, + ...(layerConfig.breakdown && + layerConfig.breakdown !== PERCENTILE && + layerConfig.seriesConfig.xAxisColumn.sourceField !== USE_BREAK_DOWN_COLUMN + ? { splitAccessor: `breakdown-column-layer${index}` } + : {}), ...(this.layerConfigs[0].seriesConfig.yTitle ? { yTitle: this.layerConfigs[0].seriesConfig.yTitle } : {}), + })); + + const referenceLineLayers: XYState['layers'] = []; + + Object.entries(this.seriesReferenceLines).forEach(([_id, { layerState }]) => { + referenceLineLayers.push(layerState[0]); + }); + + return [...dataLayers, ...referenceLineLayers]; + } + + addThresholdLayer( + fieldName: string, + layerId: string, + { seriesConfig, indexPattern }: LayerConfig + ) { + const referenceLineLayerId = `${layerId}-reference-lines`; + + const referenceLineColumns = this.getThresholdColumns( + fieldName, + referenceLineLayerId, + seriesConfig + ); + + const layerData = { + columnOrder: Object.keys(referenceLineColumns), + columns: referenceLineColumns, + incompleteColumns: {}, }; + + const layerState = this.getThresholdLayer(fieldName, referenceLineLayerId, seriesConfig); + + this.seriesReferenceLines[referenceLineLayerId] = { layerData, layerState, indexPattern }; + } + + getThresholdLayer( + fieldName: string, + referenceLineLayerId: string, + seriesConfig: SeriesConfig + ): XYState['layers'] { + const columns = this.getThresholdColumns(fieldName, referenceLineLayerId, seriesConfig); + + return [ + { + layerId: referenceLineLayerId, + accessors: Object.keys(columns), + layerType: 'referenceLine', + yConfig: Object.keys(columns).map((columnId) => ({ + axisMode: 'bottom', + color: '#6092C0', + forAccessor: columnId, + lineStyle: 'solid', + lineWidth: 2, + textVisibility: true, + })), + }, + ]; + } + + getThresholdColumns(fieldName: string, layerId: string, seriesConfig: SeriesConfig) { + const referenceLines = ['50th', '75th', '90th', '95th', '99th']; + const columns: Record = {}; + + referenceLines.forEach((referenceLine) => { + columns[`${referenceLine}-percentile-reference-line-${layerId}`] = { + ...this.getPercentileNumberColumn(fieldName, referenceLine, seriesConfig), + label: referenceLine, + }; + }); + + return columns; } getReferences() { @@ -864,6 +991,14 @@ export class LensAttributes { new Set([...this.layerConfigs.map(({ indexPattern }) => indexPattern.id)]) ); + const referenceLineIndexReferences = Object.entries(this.seriesReferenceLines).map( + ([id, { indexPattern }]) => ({ + id: indexPattern.id!, + name: getLayerReferenceName(id), + type: 'index-pattern', + }) + ); + return [ ...uniqueIndexPatternsIds.map((patternId) => ({ id: patternId!, @@ -875,6 +1010,7 @@ export class LensAttributes { name: getLayerReferenceName(`layer${index}`), type: 'index-pattern', })), + ...referenceLineIndexReferences, ]; } diff --git a/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/lens_attributes/single_metric_attributes.test.ts b/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/lens_attributes/single_metric_attributes.test.ts index f0b1c6542c166..6af077b9e8b80 100644 --- a/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/lens_attributes/single_metric_attributes.test.ts +++ b/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/lens_attributes/single_metric_attributes.test.ts @@ -124,6 +124,7 @@ describe('SingleMetricAttributes', () => { columnOrder: ['layer-0-column-1'], columns: { 'layer-0-column-1': { + customLabel: true, dataType: 'number', isBucketed: false, label: 'Page load time', diff --git a/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/lens_columns/overall_column.tsx b/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/lens_columns/overall_column.ts similarity index 82% rename from x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/lens_columns/overall_column.tsx rename to x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/lens_columns/overall_column.ts index a3f55385d60fa..66c246f36db18 100644 --- a/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/lens_columns/overall_column.tsx +++ b/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/lens_columns/overall_column.ts @@ -32,6 +32,7 @@ export function getDistributionInPercentageColumn({ } const main: FormulaIndexPatternColumn = { + customLabel: true, label: label || 'Percentage of records', dataType: 'number' as DataType, operationType: 'formula', @@ -42,7 +43,7 @@ export function getDistributionInPercentageColumn({ isFormulaBroken: false, format: { id: 'percent', params: { decimals: 0 } }, }, - references: [`${yAxisColId}X4`], + references: [`${yAxisColId}X3`], }; const countColumn: CountIndexPatternColumn = { @@ -56,24 +57,13 @@ export function getDistributionInPercentageColumn({ filter: { query: columnFilter ?? '', language: 'kuery' }, }; - const mathColumn: MathIndexPatternColumn = { - label: 'Part of count() / overall_sum(count())', - dataType: 'number', - operationType: 'math', - isBucketed: false, - scale: 'ratio', - params: { tinymathAst: `${yAxisColId}X1` }, - references: [`${yAxisColId}X1`], - customLabel: true, - }; - const overAllSumColumn: OverallSumIndexPatternColumn = { label: 'Part of count() / overall_sum(count())', dataType: 'number', operationType: 'overall_sum', isBucketed: false, scale: 'ratio', - references: [`${yAxisColId}X2`], + references: [`${yAxisColId}X1`], customLabel: true, }; @@ -87,12 +77,12 @@ export function getDistributionInPercentageColumn({ tinymathAst: { type: 'function', name: 'divide', - args: [`${yAxisColId}X0`, `${yAxisColId}X3`], + args: [`${yAxisColId}X0`, `${yAxisColId}X2`], location: { min: 0, max: 30 }, text: lensFormula, } as unknown as TinymathAST, }, - references: [`${yAxisColId}X0`, `${yAxisColId}X3`], + references: [`${yAxisColId}X0`, `${yAxisColId}X2`], customLabel: true, }; @@ -102,9 +92,8 @@ export function getDistributionInPercentageColumn({ > = { [`${yAxisColId}X0`]: countColumn, [`${yAxisColId}X1`]: countColumn, - [`${yAxisColId}X2`]: mathColumn, - [`${yAxisColId}X3`]: overAllSumColumn, - [`${yAxisColId}X4`]: tinyMathColumn, + [`${yAxisColId}X2`]: overAllSumColumn, + [`${yAxisColId}X3`]: tinyMathColumn, }; return { main, supportingColumns }; diff --git a/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/rum/data_distribution_config.ts b/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/rum/data_distribution_config.ts index ff2939213bbc1..32099251f144f 100644 --- a/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/rum/data_distribution_config.ts +++ b/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/rum/data_distribution_config.ts @@ -83,7 +83,12 @@ export function getRumDistributionConfig({ dataView }: ConfigProps): SeriesConfi ], definitionFields: [SERVICE_NAME, SERVICE_ENVIRONMENT], metricOptions: [ - { label: PAGE_LOAD_TIME_LABEL, id: TRANSACTION_DURATION, field: TRANSACTION_DURATION }, + { + label: PAGE_LOAD_TIME_LABEL, + id: TRANSACTION_DURATION, + field: TRANSACTION_DURATION, + showPercentileAnnotations: true, + }, { label: BACKEND_TIME_LABEL, id: TRANSACTION_TIME_TO_FIRST_BYTE, diff --git a/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/sample_attribute.ts b/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/sample_attribute.ts index e92d4f430ae7b..02ce7d5f0c966 100644 --- a/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/sample_attribute.ts +++ b/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/sample_attribute.ts @@ -19,6 +19,11 @@ export const sampleAttribute = { name: 'indexpattern-datasource-layer-layer0', type: 'index-pattern', }, + { + id: 'apm-*', + name: 'indexpattern-datasource-layer-layer0-reference-lines', + type: 'index-pattern', + }, ], state: { datasourceStates: { @@ -32,7 +37,6 @@ export const sampleAttribute = { 'y-axis-column-layer0X1', 'y-axis-column-layer0X2', 'y-axis-column-layer0X3', - 'y-axis-column-layer0X4', ], columns: { 'x-axis-column-layer0': { @@ -55,6 +59,7 @@ export const sampleAttribute = { sourceField: 'transaction.duration.us', }, 'y-axis-column-layer0': { + customLabel: true, dataType: 'number', filter: { language: 'kuery', @@ -75,7 +80,7 @@ export const sampleAttribute = { "count(kql='transaction.type: page-load and processor.event: transaction and transaction.type : *') / overall_sum(count(kql='transaction.type: page-load and processor.event: transaction and transaction.type : *'))", isFormulaBroken: false, }, - references: ['y-axis-column-layer0X4'], + references: ['y-axis-column-layer0X3'], scale: 'ratio', }, 'y-axis-column-layer0X0': { @@ -111,23 +116,11 @@ export const sampleAttribute = { dataType: 'number', isBucketed: false, label: 'Part of count() / overall_sum(count())', - operationType: 'math', - params: { - tinymathAst: 'y-axis-column-layer0X1', - }, + operationType: 'overall_sum', references: ['y-axis-column-layer0X1'], scale: 'ratio', }, 'y-axis-column-layer0X3': { - customLabel: true, - dataType: 'number', - isBucketed: false, - label: 'Part of count() / overall_sum(count())', - operationType: 'overall_sum', - references: ['y-axis-column-layer0X2'], - scale: 'ratio', - }, - 'y-axis-column-layer0X4': { customLabel: true, dataType: 'number', isBucketed: false, @@ -135,7 +128,7 @@ export const sampleAttribute = { operationType: 'math', params: { tinymathAst: { - args: ['y-axis-column-layer0X0', 'y-axis-column-layer0X3'], + args: ['y-axis-column-layer0X0', 'y-axis-column-layer0X2'], location: { max: 30, min: 0, @@ -145,12 +138,84 @@ export const sampleAttribute = { type: 'function', }, }, - references: ['y-axis-column-layer0X0', 'y-axis-column-layer0X3'], + references: ['y-axis-column-layer0X0', 'y-axis-column-layer0X2'], scale: 'ratio', }, }, incompleteColumns: {}, }, + 'layer0-reference-lines': { + columnOrder: [ + '50th-percentile-reference-line-layer0-reference-lines', + '75th-percentile-reference-line-layer0-reference-lines', + '90th-percentile-reference-line-layer0-reference-lines', + '95th-percentile-reference-line-layer0-reference-lines', + '99th-percentile-reference-line-layer0-reference-lines', + ], + columns: { + '50th-percentile-reference-line-layer0-reference-lines': { + customLabel: true, + dataType: 'number', + isBucketed: false, + label: '50th', + operationType: 'percentile', + params: { + percentile: 50, + }, + scale: 'ratio', + sourceField: 'transaction.duration.us', + }, + '75th-percentile-reference-line-layer0-reference-lines': { + customLabel: true, + dataType: 'number', + isBucketed: false, + label: '75th', + operationType: 'percentile', + params: { + percentile: 75, + }, + scale: 'ratio', + sourceField: 'transaction.duration.us', + }, + '90th-percentile-reference-line-layer0-reference-lines': { + customLabel: true, + dataType: 'number', + isBucketed: false, + label: '90th', + operationType: 'percentile', + params: { + percentile: 90, + }, + scale: 'ratio', + sourceField: 'transaction.duration.us', + }, + '95th-percentile-reference-line-layer0-reference-lines': { + customLabel: true, + dataType: 'number', + isBucketed: false, + label: '95th', + operationType: 'percentile', + params: { + percentile: 95, + }, + scale: 'ratio', + sourceField: 'transaction.duration.us', + }, + '99th-percentile-reference-line-layer0-reference-lines': { + customLabel: true, + dataType: 'number', + isBucketed: false, + label: '99th', + operationType: 'percentile', + params: { + percentile: 99, + }, + scale: 'ratio', + sourceField: 'transaction.duration.us', + }, + }, + incompleteColumns: {}, + }, }, }, }, @@ -188,11 +253,64 @@ export const sampleAttribute = { }, ], }, + { + accessors: [ + '50th-percentile-reference-line-layer0-reference-lines', + '75th-percentile-reference-line-layer0-reference-lines', + '90th-percentile-reference-line-layer0-reference-lines', + '95th-percentile-reference-line-layer0-reference-lines', + '99th-percentile-reference-line-layer0-reference-lines', + ], + layerId: 'layer0-reference-lines', + layerType: 'referenceLine', + yConfig: [ + { + axisMode: 'bottom', + color: '#6092C0', + forAccessor: '50th-percentile-reference-line-layer0-reference-lines', + lineStyle: 'solid', + lineWidth: 2, + textVisibility: true, + }, + { + axisMode: 'bottom', + color: '#6092C0', + forAccessor: '75th-percentile-reference-line-layer0-reference-lines', + lineStyle: 'solid', + lineWidth: 2, + textVisibility: true, + }, + { + axisMode: 'bottom', + color: '#6092C0', + forAccessor: '90th-percentile-reference-line-layer0-reference-lines', + lineStyle: 'solid', + lineWidth: 2, + textVisibility: true, + }, + { + axisMode: 'bottom', + color: '#6092C0', + forAccessor: '95th-percentile-reference-line-layer0-reference-lines', + lineStyle: 'solid', + lineWidth: 2, + textVisibility: true, + }, + { + axisMode: 'bottom', + color: '#6092C0', + forAccessor: '99th-percentile-reference-line-layer0-reference-lines', + lineStyle: 'solid', + lineWidth: 2, + textVisibility: true, + }, + ], + }, ], legend: { isVisible: true, - showSingleSeries: true, position: 'right', + showSingleSeries: true, }, preferredSeriesType: 'line', tickLabelsVisibilitySettings: { diff --git a/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/sample_attribute_with_reference_lines.ts b/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/sample_attribute_with_reference_lines.ts new file mode 100644 index 0000000000000..16ce665de0de4 --- /dev/null +++ b/x-pack/plugins/observability/public/components/shared/exploratory_view/configurations/test_data/sample_attribute_with_reference_lines.ts @@ -0,0 +1,326 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { RECORDS_FIELD } from '../constants'; + +export const sampleAttributeWithReferenceLines = { + description: '', + references: [ + { + id: 'apm-*', + name: 'indexpattern-datasource-current-indexpattern', + type: 'index-pattern', + }, + { + id: 'apm-*', + name: 'indexpattern-datasource-layer-layer0', + type: 'index-pattern', + }, + { + id: 'apm-*', + name: 'indexpattern-datasource-layer-layer0-reference-lines', + type: 'index-pattern', + }, + ], + state: { + datasourceStates: { + indexpattern: { + layers: { + layer0: { + columnOrder: [ + 'x-axis-column-layer0', + 'y-axis-column-layer0', + 'y-axis-column-layer0X0', + 'y-axis-column-layer0X1', + 'y-axis-column-layer0X2', + 'y-axis-column-layer0X3', + ], + columns: { + 'x-axis-column-layer0': { + dataType: 'number', + isBucketed: true, + label: 'Page load time', + operationType: 'range', + params: { + maxBars: 'auto', + ranges: [ + { + from: 0, + label: '', + to: 1000, + }, + ], + type: 'histogram', + }, + scale: 'interval', + sourceField: 'transaction.duration.us', + }, + 'y-axis-column-layer0': { + customLabel: true, + dataType: 'number', + filter: { + language: 'kuery', + query: + 'transaction.type: page-load and processor.event: transaction and transaction.type : * and service.name: (elastic or kibana)', + }, + isBucketed: false, + label: 'Pages loaded', + operationType: 'formula', + params: { + format: { + id: 'percent', + params: { + decimals: 0, + }, + }, + formula: + "count(kql='transaction.type: page-load and processor.event: transaction and transaction.type : * and service.name: (elastic or kibana)') / overall_sum(count(kql='transaction.type: page-load and processor.event: transaction and transaction.type : * and service.name: (elastic or kibana)'))", + isFormulaBroken: false, + }, + references: ['y-axis-column-layer0X3'], + scale: 'ratio', + }, + 'y-axis-column-layer0X0': { + customLabel: true, + dataType: 'number', + filter: { + language: 'kuery', + query: + 'transaction.type: page-load and processor.event: transaction and transaction.type : * and service.name: (elastic or kibana)', + }, + isBucketed: false, + label: 'Part of count() / overall_sum(count())', + operationType: 'count', + scale: 'ratio', + sourceField: RECORDS_FIELD, + }, + 'y-axis-column-layer0X1': { + customLabel: true, + dataType: 'number', + filter: { + language: 'kuery', + query: + 'transaction.type: page-load and processor.event: transaction and transaction.type : * and service.name: (elastic or kibana)', + }, + isBucketed: false, + label: 'Part of count() / overall_sum(count())', + operationType: 'count', + scale: 'ratio', + sourceField: RECORDS_FIELD, + }, + 'y-axis-column-layer0X2': { + customLabel: true, + dataType: 'number', + isBucketed: false, + label: 'Part of count() / overall_sum(count())', + operationType: 'overall_sum', + references: ['y-axis-column-layer0X1'], + scale: 'ratio', + }, + 'y-axis-column-layer0X3': { + customLabel: true, + dataType: 'number', + isBucketed: false, + label: 'Part of count() / overall_sum(count())', + operationType: 'math', + params: { + tinymathAst: { + args: ['y-axis-column-layer0X0', 'y-axis-column-layer0X2'], + location: { + max: 30, + min: 0, + }, + name: 'divide', + text: "count(kql='transaction.type: page-load and processor.event: transaction and transaction.type : * and service.name: (elastic or kibana)') / overall_sum(count(kql='transaction.type: page-load and processor.event: transaction and transaction.type : * and service.name: (elastic or kibana)'))", + type: 'function', + }, + }, + references: ['y-axis-column-layer0X0', 'y-axis-column-layer0X2'], + scale: 'ratio', + }, + }, + incompleteColumns: {}, + }, + 'layer0-reference-lines': { + columnOrder: [ + '50th-percentile-reference-line-layer0-reference-lines', + '75th-percentile-reference-line-layer0-reference-lines', + '90th-percentile-reference-line-layer0-reference-lines', + '95th-percentile-reference-line-layer0-reference-lines', + '99th-percentile-reference-line-layer0-reference-lines', + ], + columns: { + '50th-percentile-reference-line-layer0-reference-lines': { + customLabel: true, + dataType: 'number', + isBucketed: false, + label: '50th', + operationType: 'percentile', + params: { + percentile: 50, + }, + scale: 'ratio', + sourceField: 'transaction.duration.us', + }, + '75th-percentile-reference-line-layer0-reference-lines': { + customLabel: true, + dataType: 'number', + isBucketed: false, + label: '75th', + operationType: 'percentile', + params: { + percentile: 75, + }, + scale: 'ratio', + sourceField: 'transaction.duration.us', + }, + '90th-percentile-reference-line-layer0-reference-lines': { + customLabel: true, + dataType: 'number', + isBucketed: false, + label: '90th', + operationType: 'percentile', + params: { + percentile: 90, + }, + scale: 'ratio', + sourceField: 'transaction.duration.us', + }, + '95th-percentile-reference-line-layer0-reference-lines': { + customLabel: true, + dataType: 'number', + isBucketed: false, + label: '95th', + operationType: 'percentile', + params: { + percentile: 95, + }, + scale: 'ratio', + sourceField: 'transaction.duration.us', + }, + '99th-percentile-reference-line-layer0-reference-lines': { + customLabel: true, + dataType: 'number', + isBucketed: false, + label: '99th', + operationType: 'percentile', + params: { + percentile: 99, + }, + scale: 'ratio', + sourceField: 'transaction.duration.us', + }, + }, + incompleteColumns: {}, + }, + }, + }, + }, + filters: [], + query: { + language: 'kuery', + query: + 'transaction.type: page-load and processor.event: transaction and transaction.type : * and service.name: (elastic or kibana) and transaction.duration.us < 60000000', + }, + visualization: { + axisTitlesVisibilitySettings: { + x: true, + yLeft: true, + yRight: true, + }, + curveType: 'CURVE_MONOTONE_X', + fittingFunction: 'Linear', + gridlinesVisibilitySettings: { + x: true, + yLeft: true, + yRight: true, + }, + layers: [ + { + accessors: ['y-axis-column-layer0'], + layerId: 'layer0', + layerType: 'data', + seriesType: 'line', + xAccessor: 'x-axis-column-layer0', + yConfig: [ + { + axisMode: 'left', + color: 'green', + forAccessor: 'y-axis-column-layer0', + }, + ], + }, + { + accessors: [ + '50th-percentile-reference-line-layer0-reference-lines', + '75th-percentile-reference-line-layer0-reference-lines', + '90th-percentile-reference-line-layer0-reference-lines', + '95th-percentile-reference-line-layer0-reference-lines', + '99th-percentile-reference-line-layer0-reference-lines', + ], + layerId: 'layer0-reference-lines', + layerType: 'referenceLine', + yConfig: [ + { + axisMode: 'bottom', + color: '#6092C0', + forAccessor: '50th-percentile-reference-line-layer0-reference-lines', + lineStyle: 'solid', + lineWidth: 2, + textVisibility: true, + }, + { + axisMode: 'bottom', + color: '#6092C0', + forAccessor: '75th-percentile-reference-line-layer0-reference-lines', + lineStyle: 'solid', + lineWidth: 2, + textVisibility: true, + }, + { + axisMode: 'bottom', + color: '#6092C0', + forAccessor: '90th-percentile-reference-line-layer0-reference-lines', + lineStyle: 'solid', + lineWidth: 2, + textVisibility: true, + }, + { + axisMode: 'bottom', + color: '#6092C0', + forAccessor: '95th-percentile-reference-line-layer0-reference-lines', + lineStyle: 'solid', + lineWidth: 2, + textVisibility: true, + }, + { + axisMode: 'bottom', + color: '#6092C0', + forAccessor: '99th-percentile-reference-line-layer0-reference-lines', + lineStyle: 'solid', + lineWidth: 2, + textVisibility: true, + }, + ], + }, + ], + legend: { + isVisible: true, + position: 'right', + showSingleSeries: true, + }, + preferredSeriesType: 'line', + tickLabelsVisibilitySettings: { + x: true, + yLeft: true, + yRight: true, + }, + valueLabels: 'hide', + }, + }, + title: 'Prefilled from exploratory view app', + visualizationType: 'lnsXY', +}; diff --git a/x-pack/plugins/observability/public/components/shared/exploratory_view/hooks/use_lens_attributes.ts b/x-pack/plugins/observability/public/components/shared/exploratory_view/hooks/use_lens_attributes.ts index e9e1be1be4cac..9e82c80802640 100644 --- a/x-pack/plugins/observability/public/components/shared/exploratory_view/hooks/use_lens_attributes.ts +++ b/x-pack/plugins/observability/public/components/shared/exploratory_view/hooks/use_lens_attributes.ts @@ -84,6 +84,7 @@ export function getLayerConfigs( reportDefinitions: series.reportDefinitions ?? {}, selectedMetricField: series.selectedMetricField, color: series.color ?? (theme.eui as unknown as Record)[color], + showPercentileAnnotations: series.showPercentileAnnotations, }); } }); diff --git a/x-pack/plugins/observability/public/components/shared/exploratory_view/hooks/use_series_storage.tsx b/x-pack/plugins/observability/public/components/shared/exploratory_view/hooks/use_series_storage.tsx index a73c4caf10159..9cbddbbde9965 100644 --- a/x-pack/plugins/observability/public/components/shared/exploratory_view/hooks/use_series_storage.tsx +++ b/x-pack/plugins/observability/public/components/shared/exploratory_view/hooks/use_series_storage.tsx @@ -152,7 +152,7 @@ export function useSeriesStorage() { } function convertFromShortUrl(newValue: ShortUrlSeries): SeriesUrl { - const { dt, op, st, bd, ft, time, rdf, mt, h, n, c, ...restSeries } = newValue; + const { dt, op, st, bd, ft, time, rdf, mt, h, n, c, spa, ...restSeries } = newValue; return { operationType: op, seriesType: st, @@ -165,6 +165,7 @@ function convertFromShortUrl(newValue: ShortUrlSeries): SeriesUrl { hidden: h, name: n, color: c, + showPercentileAnnotations: spa, ...restSeries, }; } @@ -180,6 +181,7 @@ interface ShortUrlSeries { [URL_KEYS.HIDDEN]?: boolean; [URL_KEYS.NAME]: string; [URL_KEYS.COLOR]?: string; + [URL_KEYS.SHOW_PERCENTILE_ANNOTATIONS]?: boolean; time?: { to: string; from: string; diff --git a/x-pack/plugins/observability/public/components/shared/exploratory_view/types.ts b/x-pack/plugins/observability/public/components/shared/exploratory_view/types.ts index 4066d41d95d5f..09973e33b0dc2 100644 --- a/x-pack/plugins/observability/public/components/shared/exploratory_view/types.ts +++ b/x-pack/plugins/observability/public/components/shared/exploratory_view/types.ts @@ -53,6 +53,7 @@ export interface MetricOption { columnFilter?: ColumnFilter; paramFilters?: ParamFilter[]; timeScale?: string; + showPercentileAnnotations?: boolean; } export interface SeriesConfig { @@ -101,6 +102,7 @@ export interface SeriesUrl { textReportDefinitions?: URLTextReportDefinition; selectedMetricField?: string; hidden?: boolean; + showPercentileAnnotations?: boolean; color?: string; } diff --git a/x-pack/plugins/observability/public/pages/rule_details/components/item_value_rule_summary.tsx b/x-pack/plugins/observability/public/pages/rule_details/components/item_value_rule_summary.tsx index 6e178250c53ff..1a05e991b08ff 100644 --- a/x-pack/plugins/observability/public/pages/rule_details/components/item_value_rule_summary.tsx +++ b/x-pack/plugins/observability/public/pages/rule_details/components/item_value_rule_summary.tsx @@ -8,9 +8,13 @@ import React from 'react'; import { EuiFlexItem, EuiText } from '@elastic/eui'; import { ItemValueRuleSummaryProps } from '../types'; -export function ItemValueRuleSummary({ itemValue, extraSpace = true }: ItemValueRuleSummaryProps) { +export function ItemValueRuleSummary({ + itemValue, + extraSpace = true, + ...otherProps +}: ItemValueRuleSummaryProps) { return ( - + {itemValue} ); diff --git a/x-pack/plugins/observability/public/pages/rule_details/components/page_title.tsx b/x-pack/plugins/observability/public/pages/rule_details/components/page_title.tsx index d75be330df548..8318e4b7c8e60 100644 --- a/x-pack/plugins/observability/public/pages/rule_details/components/page_title.tsx +++ b/x-pack/plugins/observability/public/pages/rule_details/components/page_title.tsx @@ -23,7 +23,12 @@ export function PageTitle({ rule }: PageHeaderProps) { const closeTagsPopover = () => setIsTagsPopoverOpen(false); return ( <> - {rule.name} + + + {rule.name} + + + diff --git a/x-pack/plugins/observability/public/pages/rule_details/index.tsx b/x-pack/plugins/observability/public/pages/rule_details/index.tsx index 745ab2ca044ff..e88467b225e9e 100644 --- a/x-pack/plugins/observability/public/pages/rule_details/index.tsx +++ b/x-pack/plugins/observability/public/pages/rule_details/index.tsx @@ -266,6 +266,7 @@ export function RuleDetailsPage() { rule.notifyWhen; return ( , bottomBorder: false, @@ -284,11 +285,17 @@ export function RuleDetailsPage() { iconType="boxesHorizontal" aria-label="More" onClick={handleOpenPopover} + data-test-subj="moreButton" /> } > - + {i18n.translate('xpack.observability.ruleDetails.editRule', { @@ -302,6 +309,7 @@ export function RuleDetailsPage() { iconType="trash" color="danger" onClick={handleRemoveRule} + data-test-subj="deleteRuleButton" > {i18n.translate('xpack.observability.ruleDetails.deleteRule', { @@ -332,7 +340,7 @@ export function RuleDetailsPage() { > {/* Left side of Rule Summary */} - + @@ -411,7 +419,7 @@ export function RuleDetailsPage() { {/* Right side of Rule Summary */} - + @@ -439,6 +447,7 @@ export function RuleDetailsPage() { })} diff --git a/x-pack/plugins/reporting/public/lib/__snapshots__/stream_handler.test.ts.snap b/x-pack/plugins/reporting/public/lib/__snapshots__/stream_handler.test.ts.snap index 935f3e297b2cb..ab6a5109a1066 100644 --- a/x-pack/plugins/reporting/public/lib/__snapshots__/stream_handler.test.ts.snap +++ b/x-pack/plugins/reporting/public/lib/__snapshots__/stream_handler.test.ts.snap @@ -84,6 +84,9 @@ Array [ />, }, }, + Object { + "toastLifeTimeMs": 86400000, + }, ] `; @@ -184,44 +187,52 @@ Array [ />, }, }, + Object { + "toastLifeTimeMs": 86400000, + }, ] `; exports[`stream handler showNotifications show success 1`] = ` -Object { - "color": "success", - "data-test-subj": "completeReportSuccess", - "text": MountPoint { - "reactNode": -

- +

+ +

+ -

- , + }, + "title": MountPoint { + "reactNode": - , + />, + }, }, - "title": MountPoint { - "reactNode": , + Object { + "toastLifeTimeMs": 86400000, }, -} +] `; diff --git a/x-pack/plugins/reporting/public/lib/stream_handler.test.ts b/x-pack/plugins/reporting/public/lib/stream_handler.test.ts index d3075d4e5a906..6f575652450c1 100644 --- a/x-pack/plugins/reporting/public/lib/stream_handler.test.ts +++ b/x-pack/plugins/reporting/public/lib/stream_handler.test.ts @@ -5,7 +5,6 @@ * 2.0. */ -import { omit } from 'lodash'; import sinon, { stub } from 'sinon'; import { NotificationsStart } from '@kbn/core/public'; import { coreMock, themeServiceMock, docLinksServiceMock } from '@kbn/core/public/mocks'; @@ -124,7 +123,7 @@ describe('stream handler', () => { expect(mockShowDanger.callCount).toBe(0); expect(mockShowSuccess.callCount).toBe(1); expect(mockShowWarning.callCount).toBe(0); - expect(omit(mockShowSuccess.args[0][0], 'toastLifeTimeMs')).toMatchSnapshot(); + expect(mockShowSuccess.args[0]).toMatchSnapshot(); done(); }); }); diff --git a/x-pack/plugins/reporting/public/lib/stream_handler.ts b/x-pack/plugins/reporting/public/lib/stream_handler.ts index ba2c32de49f64..ef27989a6d420 100644 --- a/x-pack/plugins/reporting/public/lib/stream_handler.ts +++ b/x-pack/plugins/reporting/public/lib/stream_handler.ts @@ -22,6 +22,12 @@ import { import { Job } from './job'; import { ReportingAPIClient } from './reporting_api_client'; +/** + * @todo Replace with `Infinity` once elastic/eui#5945 is resolved. + * @see https://github.com/elastic/eui/issues/5945 + */ +const COMPLETED_JOB_TOAST_TIMEOUT = 24 * 60 * 60 * 1000; // 24 hours + function updateStored(jobIds: JobId[]): void { sessionStorage.setItem(JOB_COMPLETION_NOTIFICATIONS_SESSION_KEY, JSON.stringify(jobIds)); } @@ -54,6 +60,8 @@ export class ReportingNotifierStreamHandler { failed: failedJobs, }: JobSummarySet): Rx.Observable { const showNotificationsAsync = async () => { + const completedOptions = { toastLifeTimeMs: COMPLETED_JOB_TOAST_TIMEOUT }; + // notifications with download link for (const job of completedJobs) { if (job.csvContainsFormulas) { @@ -63,7 +71,8 @@ export class ReportingNotifierStreamHandler { this.apiClient.getManagementLink, this.apiClient.getDownloadLink, this.theme - ) + ), + completedOptions ); } else if (job.maxSizeReached) { this.notifications.toasts.addWarning( @@ -72,7 +81,8 @@ export class ReportingNotifierStreamHandler { this.apiClient.getManagementLink, this.apiClient.getDownloadLink, this.theme - ) + ), + completedOptions ); } else if (job.status === JOB_STATUSES.WARNINGS) { this.notifications.toasts.addWarning( @@ -81,7 +91,8 @@ export class ReportingNotifierStreamHandler { this.apiClient.getManagementLink, this.apiClient.getDownloadLink, this.theme - ) + ), + completedOptions ); } else { this.notifications.toasts.addSuccess( @@ -90,7 +101,8 @@ export class ReportingNotifierStreamHandler { this.apiClient.getManagementLink, this.apiClient.getDownloadLink, this.theme - ) + ), + completedOptions ); } } diff --git a/x-pack/plugins/reporting/public/notifier/job_success.tsx b/x-pack/plugins/reporting/public/notifier/job_success.tsx index f7b71d78de8bd..44389e164472a 100644 --- a/x-pack/plugins/reporting/public/notifier/job_success.tsx +++ b/x-pack/plugins/reporting/public/notifier/job_success.tsx @@ -37,12 +37,5 @@ export const getSuccessToast = ( , { theme$: theme.theme$ } ), - /** - * If timeout is an Infinity value, a Not-a-Number (NaN) value, or negative, then timeout will be zero. - * And we cannot use `Number.MAX_SAFE_INTEGER` because EUI's Timer implementation - * subtracts it from the current time to evaluate the remainder. - * @see https://www.w3.org/TR/2011/WD-html5-20110525/timers.html - */ - toastLifeTimeMs: Number.MAX_SAFE_INTEGER - Date.now(), 'data-test-subj': 'completeReportSuccess', }); diff --git a/x-pack/plugins/security_solution/common/constants.ts b/x-pack/plugins/security_solution/common/constants.ts index 4153317a00ed0..9726aa92fe5f9 100644 --- a/x-pack/plugins/security_solution/common/constants.ts +++ b/x-pack/plugins/security_solution/common/constants.ts @@ -119,6 +119,7 @@ export enum SecurityPageName { sessions = 'sessions', usersEvents = 'users-events', usersExternalAlerts = 'users-external_alerts', + kubernetes = 'kubernetes', exploreLanding = 'explore', dashboardsLanding = 'dashboards', } @@ -138,6 +139,7 @@ export const RULES_CREATE_PATH = `${RULES_PATH}/create` as const; export const EXCEPTIONS_PATH = '/exceptions' as const; export const HOSTS_PATH = '/hosts' as const; export const USERS_PATH = '/users' as const; +export const KUBERNETES_PATH = '/kubernetes' as const; export const NETWORK_PATH = '/network' as const; export const MANAGEMENT_PATH = '/administration' as const; export const ENDPOINTS_PATH = `${MANAGEMENT_PATH}/endpoints` as const; @@ -162,6 +164,7 @@ export const APP_EXCEPTIONS_PATH = `${APP_PATH}${EXCEPTIONS_PATH}` as const; export const APP_HOSTS_PATH = `${APP_PATH}${HOSTS_PATH}` as const; export const APP_USERS_PATH = `${APP_PATH}${USERS_PATH}` as const; export const APP_NETWORK_PATH = `${APP_PATH}${NETWORK_PATH}` as const; +export const APP_KUBERNETES_PATH = `${APP_PATH}${KUBERNETES_PATH}` as const; export const APP_TIMELINES_PATH = `${APP_PATH}${TIMELINES_PATH}` as const; export const APP_CASES_PATH = `${APP_PATH}${CASES_PATH}` as const; export const APP_ENDPOINTS_PATH = `${APP_PATH}${ENDPOINTS_PATH}` as const; diff --git a/x-pack/plugins/security_solution/common/experimental_features.ts b/x-pack/plugins/security_solution/common/experimental_features.ts index 86040cf7eaff8..60b408ffee699 100644 --- a/x-pack/plugins/security_solution/common/experimental_features.ts +++ b/x-pack/plugins/security_solution/common/experimental_features.ts @@ -16,6 +16,7 @@ export const allowedExperimentalValues = Object.freeze({ tGridEventRenderedViewEnabled: true, excludePoliciesInFilterEnabled: false, usersEnabled: true, + kubernetesEnabled: false, disableIsolationUIPendingStatuses: false, riskyHostsEnabled: false, riskyUsersEnabled: false, diff --git a/x-pack/plugins/security_solution/common/search_strategy/security_solution/network/details/index.ts b/x-pack/plugins/security_solution/common/search_strategy/security_solution/network/details/index.ts index 3235c0871fd3c..ea7de5b640773 100644 --- a/x-pack/plugins/security_solution/common/search_strategy/security_solution/network/details/index.ts +++ b/x-pack/plugins/security_solution/common/search_strategy/security_solution/network/details/index.ts @@ -49,7 +49,7 @@ interface ResultHit { total: TotalValue | number; max_score: number | null; hits: Array<{ - _source: T; + fields: T; sort?: [number]; _index?: string; _type?: string; diff --git a/x-pack/plugins/security_solution/common/search_strategy/security_solution/network/top_n_flow/index.ts b/x-pack/plugins/security_solution/common/search_strategy/security_solution/network/top_n_flow/index.ts index 7f663d76accd0..0524b34d8e538 100644 --- a/x-pack/plugins/security_solution/common/search_strategy/security_solution/network/top_n_flow/index.ts +++ b/x-pack/plugins/security_solution/common/search_strategy/security_solution/network/top_n_flow/index.ts @@ -77,7 +77,7 @@ export interface AutonomousSystemHit { total: TotalValue | number; max_score: number | null; hits: Array<{ - _source: T; + fields: T; sort?: [number]; _index?: string; _type?: string; @@ -113,7 +113,7 @@ export interface LocationHit { total: TotalValue | number; max_score: number | null; hits: Array<{ - _source: T; + fields: T; sort?: [number]; _index?: string; _type?: string; diff --git a/x-pack/plugins/security_solution/kibana.json b/x-pack/plugins/security_solution/kibana.json index 0c72f5af846d7..756856c55c2f7 100644 --- a/x-pack/plugins/security_solution/kibana.json +++ b/x-pack/plugins/security_solution/kibana.json @@ -27,7 +27,7 @@ "triggersActionsUi", "uiActions", "unifiedSearch", - "sessionView" + "kubernetesSecurity" ], "optionalPlugins": [ "encryptedSavedObjects", diff --git a/x-pack/plugins/security_solution/public/app/deep_links/index.test.ts b/x-pack/plugins/security_solution/public/app/deep_links/index.test.ts index 4a9d553dc40d9..85bc03d96b983 100644 --- a/x-pack/plugins/security_solution/public/app/deep_links/index.test.ts +++ b/x-pack/plugins/security_solution/public/app/deep_links/index.test.ts @@ -165,5 +165,22 @@ describe('deepLinks', () => { }); expect(findDeepLink(SecurityPageName.hostsAuthentications, deepLinks)).toBeFalsy(); }); + + it('should return NO kubernetes link when enableExperimental.kubernetesEnabled === false', () => { + const deepLinks = getDeepLinks({ + ...mockGlobalState.app.enableExperimental, + kubernetesEnabled: false, + }); + + expect(findDeepLink(SecurityPageName.kubernetes, deepLinks)).toBeFalsy(); + }); + + it('should return kubernetes link when enableExperimental.kubernetesEnabled === true', () => { + const deepLinks = getDeepLinks({ + ...mockGlobalState.app.enableExperimental, + kubernetesEnabled: true, + }); + expect(findDeepLink(SecurityPageName.kubernetes, deepLinks)).toBeTruthy(); + }); }); }); diff --git a/x-pack/plugins/security_solution/public/app/deep_links/index.ts b/x-pack/plugins/security_solution/public/app/deep_links/index.ts index 1079e1ffab868..a9abc7cc346fc 100644 --- a/x-pack/plugins/security_solution/public/app/deep_links/index.ts +++ b/x-pack/plugins/security_solution/public/app/deep_links/index.ts @@ -27,6 +27,7 @@ import { TIMELINES, MANAGE, USERS, + KUBERNETES, HOST_ISOLATION_EXCEPTIONS, EVENT_FILTERS, BLOCKLIST, @@ -57,6 +58,7 @@ import { HOST_ISOLATION_EXCEPTIONS_PATH, SERVER_APP_ID, USERS_PATH, + KUBERNETES_PATH, EXPLORE_PATH, DASHBOARDS_PATH, MANAGE_PATH, @@ -378,6 +380,19 @@ export const securitySolutionsDeepLinks: SecuritySolutionDeepLink[] = [ }, ], }, + { + id: SecurityPageName.kubernetes, + title: KUBERNETES, + path: KUBERNETES_PATH, + navLinkStatus: AppNavLinkStatus.hidden, + experimentalKey: 'kubernetesEnabled', + keywords: [ + i18n.translate('xpack.securitySolution.search.kubernetes', { + defaultMessage: 'Kubernetes', + }), + ], + order: 9005, + }, ], }, { @@ -402,7 +417,7 @@ export const securitySolutionsDeepLinks: SecuritySolutionDeepLink[] = [ defaultMessage: 'Timelines', }), ], - order: 9005, + order: 9006, deepLinks: [ { id: SecurityPageName.timelinesTemplates, @@ -418,7 +433,7 @@ export const securitySolutionsDeepLinks: SecuritySolutionDeepLink[] = [ extend: { [SecurityPageName.case]: { navLinkStatus: AppNavLinkStatus.visible, - order: 9006, + order: 9007, features: [FEATURE.casesRead], }, [SecurityPageName.caseConfigure]: { @@ -448,7 +463,7 @@ export const securitySolutionsDeepLinks: SecuritySolutionDeepLink[] = [ id: SecurityPageName.endpoints, navLinkStatus: AppNavLinkStatus.visible, title: ENDPOINTS, - order: 9006, + order: 9008, path: ENDPOINTS_PATH, }, { diff --git a/x-pack/plugins/security_solution/public/app/home/home_navigations.ts b/x-pack/plugins/security_solution/public/app/home/home_navigations.ts index 02727084020b5..c6139557964a8 100644 --- a/x-pack/plugins/security_solution/public/app/home/home_navigations.ts +++ b/x-pack/plugins/security_solution/public/app/home/home_navigations.ts @@ -30,6 +30,7 @@ import { SecurityPageName, APP_HOST_ISOLATION_EXCEPTIONS_PATH, APP_USERS_PATH, + APP_KUBERNETES_PATH, APP_LANDING_PATH, } from '../../../common/constants'; @@ -97,6 +98,13 @@ export const navTabs: SecurityNav = { disabled: false, urlKey: 'network', }, + [SecurityPageName.kubernetes]: { + id: SecurityPageName.kubernetes, + name: i18n.KUBERNETES, + href: APP_KUBERNETES_PATH, + disabled: false, + urlKey: 'kubernetes', + }, [SecurityPageName.timelines]: { id: SecurityPageName.timelines, name: i18n.TIMELINES, diff --git a/x-pack/plugins/security_solution/public/app/translations.ts b/x-pack/plugins/security_solution/public/app/translations.ts index 7586cff6e0da0..59c363336c711 100644 --- a/x-pack/plugins/security_solution/public/app/translations.ts +++ b/x-pack/plugins/security_solution/public/app/translations.ts @@ -38,6 +38,10 @@ export const USERS = i18n.translate('xpack.securitySolution.navigation.users', { defaultMessage: 'Users', }); +export const KUBERNETES = i18n.translate('xpack.securitySolution.navigation.kubernetes', { + defaultMessage: 'Kubernetes', +}); + export const RULES = i18n.translate('xpack.securitySolution.navigation.rules', { defaultMessage: 'Rules', }); diff --git a/x-pack/plugins/security_solution/public/cases/links.ts b/x-pack/plugins/security_solution/public/cases/links.ts index bafaee6baa583..74c64e8b8c488 100644 --- a/x-pack/plugins/security_solution/public/cases/links.ts +++ b/x-pack/plugins/security_solution/public/cases/links.ts @@ -15,7 +15,7 @@ export const getCasesLinkItems = (): LinkItem => { extend: { [SecurityPageName.case]: { globalNavEnabled: true, - globalNavOrder: 9006, + globalNavOrder: 9007, capabilities: [`${CASES_FEATURE_ID}.read_cases`], }, [SecurityPageName.caseConfigure]: { diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/host_risk_summary.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/host_risk_summary.tsx index b429a8a9f234e..e42b87ecb4909 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/host_risk_summary.tsx +++ b/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/host_risk_summary.tsx @@ -54,7 +54,7 @@ const HostRiskSummaryComponent: React.FC<{ {hostRisk.isModuleEnabled && hostRisk.result && hostRisk.result.length > 0 && ( <> } diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/translations.ts b/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/translations.ts index 41273372489a7..59e71a2ba6f43 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/translations.ts +++ b/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/translations.ts @@ -145,3 +145,10 @@ export const ENRICHED_DATA = i18n.translate( defaultMessage: 'Enriched data', } ); + +export const HOST_RISK_CLASSIFICATION = i18n.translate( + 'xpack.securitySolution.alertDetails.hostRiskClassification', + { + defaultMessage: 'Host risk classification', + } +); diff --git a/x-pack/plugins/security_solution/public/common/components/link_to/index.ts b/x-pack/plugins/security_solution/public/common/components/link_to/index.ts index fe0b8fbdbfba7..bac47b1dd5d62 100644 --- a/x-pack/plugins/security_solution/public/common/components/link_to/index.ts +++ b/x-pack/plugins/security_solution/public/common/components/link_to/index.ts @@ -15,6 +15,7 @@ import { SecurityPageName } from '../../../app/types'; export { getDetectionEngineUrl, getRuleDetailsUrl } from './redirect_to_detection_engine'; export { getHostDetailsUrl, getTabsOnHostDetailsUrl, getHostsUrl } from './redirect_to_hosts'; +export { getKubernetesUrl, getKubernetesDetailsUrl } from './redirect_to_kubernetes'; export { getNetworkUrl, getNetworkDetailsUrl } from './redirect_to_network'; export { getTimelineTabsUrl, getTimelineUrl } from './redirect_to_timelines'; export { diff --git a/x-pack/plugins/security_solution/public/common/components/link_to/redirect_to_kubernetes.tsx b/x-pack/plugins/security_solution/public/common/components/link_to/redirect_to_kubernetes.tsx new file mode 100644 index 0000000000000..1f2c2b63def3d --- /dev/null +++ b/x-pack/plugins/security_solution/public/common/components/link_to/redirect_to_kubernetes.tsx @@ -0,0 +1,14 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { KUBERNETES_PATH } from '../../../../common/constants'; +import { appendSearch } from './helpers'; + +export const getKubernetesUrl = (search?: string) => `${KUBERNETES_PATH}${appendSearch(search)}`; + +export const getKubernetesDetailsUrl = (detailName: string, search?: string) => + `/${detailName}${appendSearch(search)}`; diff --git a/x-pack/plugins/security_solution/public/common/components/navigation/breadcrumbs/index.test.ts b/x-pack/plugins/security_solution/public/common/components/navigation/breadcrumbs/index.test.ts index e545d4f19bbb9..e0c4467bf5ae0 100644 --- a/x-pack/plugins/security_solution/public/common/components/navigation/breadcrumbs/index.test.ts +++ b/x-pack/plugins/security_solution/public/common/components/navigation/breadcrumbs/index.test.ts @@ -20,11 +20,9 @@ import { APP_UI_ID } from '../../../../../common/constants'; import { useDeepEqualSelector } from '../../../hooks/use_selector'; import { useIsGroupedNavigationEnabled } from '../helpers'; import { navTabs } from '../../../../app/home/home_navigations'; -import { getAppLinks } from '../../../links/app_links'; -import { allowedExperimentalValues } from '../../../../../common/experimental_features'; -import { StartPlugins } from '../../../../types'; -import { coreMock } from '@kbn/core/public/mocks'; +import { links } from '../../../links/app_links'; import { updateAppLinks } from '../../../links'; +import { allowedExperimentalValues } from '../../../../../common/experimental_features'; jest.mock('../../../hooks/use_selector'); @@ -163,9 +161,8 @@ const manageBreadcrumbs = { }; describe('Navigation Breadcrumbs', () => { - beforeAll(async () => { - const appLinks = await getAppLinks(coreMock.createStart(), {} as StartPlugins); - updateAppLinks(appLinks, { + beforeAll(() => { + updateAppLinks(links, { experimentalFeatures: allowedExperimentalValues, capabilities: { navLinks: {}, diff --git a/x-pack/plugins/security_solution/public/common/components/navigation/breadcrumbs/index.ts b/x-pack/plugins/security_solution/public/common/components/navigation/breadcrumbs/index.ts index ba4835bf776c9..1449ff66b3317 100644 --- a/x-pack/plugins/security_solution/public/common/components/navigation/breadcrumbs/index.ts +++ b/x-pack/plugins/security_solution/public/common/components/navigation/breadcrumbs/index.ts @@ -14,6 +14,7 @@ import { getTrailingBreadcrumbs as getHostDetailsBreadcrumbs } from '../../../.. import { getTrailingBreadcrumbs as getIPDetailsBreadcrumbs } from '../../../../network/pages/details'; import { getTrailingBreadcrumbs as getDetectionRulesBreadcrumbs } from '../../../../detections/pages/detection_engine/rules/utils'; import { getTrailingBreadcrumbs as getUsersBreadcrumbs } from '../../../../users/pages/details/utils'; +import { getTrailingBreadcrumbs as getKubernetesBreadcrumbs } from '../../../../kubernetes/pages/utils/breadcrumbs'; import { getTrailingBreadcrumbs as getAdminBreadcrumbs } from '../../../../management/common/breadcrumbs'; import { SecurityPageName } from '../../../../app/types'; import { @@ -134,6 +135,10 @@ const getTrailingBreadcrumbsForRoutes = ( return getDetectionRulesBreadcrumbs(spyState, getSecuritySolutionUrl); } + if (isKubernetesRoutes(spyState)) { + return getKubernetesBreadcrumbs(spyState, getSecuritySolutionUrl); + } + return []; }; @@ -148,6 +153,9 @@ const isUsersRoutes = (spyState: RouteSpyState): spyState is UsersRouteSpyState const isCaseRoutes = (spyState: RouteSpyState) => spyState.pageName === SecurityPageName.case; +const isKubernetesRoutes = (spyState: RouteSpyState) => + spyState.pageName === SecurityPageName.kubernetes; + const isAdminRoutes = (spyState: RouteSpyState): spyState is AdministrationRouteSpyState => spyState.pageName === SecurityPageName.administration; diff --git a/x-pack/plugins/security_solution/public/common/components/navigation/types.ts b/x-pack/plugins/security_solution/public/common/components/navigation/types.ts index 85d504165484b..4bc47ea02dba1 100644 --- a/x-pack/plugins/security_solution/public/common/components/navigation/types.ts +++ b/x-pack/plugins/security_solution/public/common/components/navigation/types.ts @@ -61,6 +61,7 @@ export const securityNavKeys = [ SecurityPageName.timelines, SecurityPageName.trustedApps, SecurityPageName.users, + SecurityPageName.kubernetes, ] as const; export type SecurityNavKey = typeof securityNavKeys[number]; diff --git a/x-pack/plugins/security_solution/public/common/components/navigation/use_security_solution_navigation/index.test.tsx b/x-pack/plugins/security_solution/public/common/components/navigation/use_security_solution_navigation/index.test.tsx index 5893c0f778967..64f7d3c2ddfb7 100644 --- a/x-pack/plugins/security_solution/public/common/components/navigation/use_security_solution_navigation/index.test.tsx +++ b/x-pack/plugins/security_solution/public/common/components/navigation/use_security_solution_navigation/index.test.tsx @@ -122,6 +122,16 @@ describe('useSecuritySolutionNavigation', () => { expect(result?.current?.items?.[2].items?.[2].id).toEqual(SecurityPageName.users); }); + // TODO: [kubernetes] remove when no longer experimental + it('should include kubernetes when feature flag is on', async () => { + (useIsExperimentalFeatureEnabled as jest.Mock).mockReturnValue(true); + const { result } = renderHook<{}, KibanaPageTemplateProps['solutionNav']>( + () => useSecuritySolutionNavigation(), + { wrapper: TestProviders } + ); + expect(result?.current?.items?.[2].items?.[3].id).toEqual(SecurityPageName.kubernetes); + }); + it('should omit host isolation exceptions if hook reports false', () => { (useCanSeeHostIsolationExceptionsMenu as jest.Mock).mockReturnValueOnce(false); const { result } = renderHook<{}, KibanaPageTemplateProps['solutionNav']>( diff --git a/x-pack/plugins/security_solution/public/common/components/navigation/use_security_solution_navigation/index.tsx b/x-pack/plugins/security_solution/public/common/components/navigation/use_security_solution_navigation/index.tsx index f23be09609ede..8f1dab106d905 100644 --- a/x-pack/plugins/security_solution/public/common/components/navigation/use_security_solution_navigation/index.tsx +++ b/x-pack/plugins/security_solution/public/common/components/navigation/use_security_solution_navigation/index.tsx @@ -32,7 +32,10 @@ export const useSecuritySolutionNavigation = () => { const { detailName, flowTarget, pageName, pathName, search, state, tabName } = routeProps; - const disabledNavTabs = [...(!useIsExperimentalFeatureEnabled('usersEnabled') ? ['users'] : [])]; + const disabledNavTabs = [ + ...(!useIsExperimentalFeatureEnabled('usersEnabled') ? ['users'] : []), + ...(!useIsExperimentalFeatureEnabled('kubernetesEnabled') ? ['kubernetes'] : []), + ]; const enabledNavTabs: GenericNavRecord = omit(disabledNavTabs, navTabs); const setBreadcrumbs = useSetBreadcrumbs(); diff --git a/x-pack/plugins/security_solution/public/common/components/navigation/use_security_solution_navigation/use_navigation_items.tsx b/x-pack/plugins/security_solution/public/common/components/navigation/use_security_solution_navigation/use_navigation_items.tsx index 84680ad5ceacd..4012bb81466cf 100644 --- a/x-pack/plugins/security_solution/public/common/components/navigation/use_security_solution_navigation/use_navigation_items.tsx +++ b/x-pack/plugins/security_solution/public/common/components/navigation/use_security_solution_navigation/use_navigation_items.tsx @@ -98,6 +98,9 @@ function usePrimaryNavigationItemsToDisplay(navTabs: Record) { ...(navTabs[SecurityPageName.users] != null ? [navTabs[SecurityPageName.users]] : []), + ...(navTabs[SecurityPageName.kubernetes] != null + ? [navTabs[SecurityPageName.kubernetes]] + : []), ], }, { diff --git a/x-pack/plugins/security_solution/public/common/components/query_bar/index.test.tsx b/x-pack/plugins/security_solution/public/common/components/query_bar/index.test.tsx index 0b3e9e28d3183..ded1abf3aa567 100644 --- a/x-pack/plugins/security_solution/public/common/components/query_bar/index.test.tsx +++ b/x-pack/plugins/security_solution/public/common/components/query_bar/index.test.tsx @@ -210,7 +210,8 @@ describe('QueryBar ', () => { }); }); - describe('#onQuerySubmit', () => { + // FLAKY: https://github.com/elastic/kibana/issues/132659 + describe.skip('#onQuerySubmit', () => { test(' is the only reference that changed when filterQuery props get updated', async () => { const wrapper = await getWrapper( ({ })); describe('UrlStateContainer', () => { - beforeAll(async () => { + beforeAll(() => { mockedUseIsGroupedNavigationEnabled.mockReturnValue(false); - - const appLinks = await getAppLinks(coreMock.createStart(), {} as StartPlugins); - updateAppLinks(appLinks, { + updateAppLinks(links, { experimentalFeatures: allowedExperimentalValues, capabilities: { navLinks: {}, diff --git a/x-pack/plugins/security_solution/public/common/components/url_state/index_mocked.test.tsx b/x-pack/plugins/security_solution/public/common/components/url_state/index_mocked.test.tsx index 011621b95a0c4..4e87be0fb5316 100644 --- a/x-pack/plugins/security_solution/public/common/components/url_state/index_mocked.test.tsx +++ b/x-pack/plugins/security_solution/public/common/components/url_state/index_mocked.test.tsx @@ -17,11 +17,9 @@ import { UrlStateContainerPropTypes } from './types'; import { useUrlStateHooks } from './use_url_state'; import { useLocation } from 'react-router-dom'; import { DASHBOARDS_PATH, MANAGEMENT_PATH } from '../../../../common/constants'; -import { getAppLinks } from '../../links/app_links'; -import { StartPlugins } from '../../../types'; +import { links } from '../../links/app_links'; import { updateAppLinks } from '../../links'; import { allowedExperimentalValues } from '../../../../common/experimental_features'; -import { coreMock } from '@kbn/core/public/mocks'; let mockProps: UrlStateContainerPropTypes; @@ -56,11 +54,9 @@ jest.mock('../navigation/helpers', () => ({ })); describe('UrlStateContainer - lodash.throttle mocked to test update url', () => { - beforeAll(async () => { + beforeAll(() => { mockedUseIsGroupedNavigationEnabled.mockReturnValue(false); - - const appLinks = await getAppLinks(coreMock.createStart(), {} as StartPlugins); - updateAppLinks(appLinks, { + updateAppLinks(links, { experimentalFeatures: allowedExperimentalValues, capabilities: { navLinks: {}, diff --git a/x-pack/plugins/security_solution/public/common/components/url_state/test_dependencies.ts b/x-pack/plugins/security_solution/public/common/components/url_state/test_dependencies.ts index 9820b771ca123..03ec5b0dcf940 100644 --- a/x-pack/plugins/security_solution/public/common/components/url_state/test_dependencies.ts +++ b/x-pack/plugins/security_solution/public/common/components/url_state/test_dependencies.ts @@ -326,4 +326,13 @@ export const testCases: Array< /* pageName */ SecurityPageName.timelines, /* detailName */ undefined, ], + [ + /* page */ CONSTANTS.kubernetesPage, + /* namespaceLower */ 'kubernetes', + /* namespaceUpper */ 'Kubernetes', + /* pathName */ '/kubernetes', + /* type */ null, + /* pageName */ SecurityPageName.kubernetes, + /* detailName */ undefined, + ], ]; diff --git a/x-pack/plugins/security_solution/public/common/components/url_state/types.ts b/x-pack/plugins/security_solution/public/common/components/url_state/types.ts index f43eaba280d7a..8633987b7c1c5 100644 --- a/x-pack/plugins/security_solution/public/common/components/url_state/types.ts +++ b/x-pack/plugins/security_solution/public/common/components/url_state/types.ts @@ -32,6 +32,7 @@ export type LocationTypes = | CONSTANTS.alertsPage | CONSTANTS.hostsDetails | CONSTANTS.hostsPage + | CONSTANTS.kubernetesPage | CONSTANTS.networkDetails | CONSTANTS.networkPage | CONSTANTS.overviewPage diff --git a/x-pack/plugins/security_solution/public/common/links/app_links.ts b/x-pack/plugins/security_solution/public/common/links/app_links.ts index 45a7ed373222f..fe870caa09c37 100644 --- a/x-pack/plugins/security_solution/public/common/links/app_links.ts +++ b/x-pack/plugins/security_solution/public/common/links/app_links.ts @@ -9,17 +9,28 @@ import { AppLinkItems } from './types'; import { links as detectionLinks } from '../../detections/links'; import { links as timelinesLinks } from '../../timelines/links'; import { getCasesLinkItems } from '../../cases/links'; -import { getManagementLinkItems } from '../../management/links'; +import { links as managementLinks, getManagementFilteredLinks } from '../../management/links'; import { dashboardsLandingLinks, threatHuntingLandingLinks } from '../../landing_pages/links'; import { gettingStartedLinks } from '../../overview/links'; import { StartPlugins } from '../../types'; -export const getAppLinks = async ( +const casesLinks = getCasesLinkItems(); + +export const links = Object.freeze([ + dashboardsLandingLinks, + detectionLinks, + timelinesLinks, + casesLinks, + threatHuntingLandingLinks, + gettingStartedLinks, + managementLinks, +]); + +export const getFilteredLinks = async ( core: CoreStart, plugins: StartPlugins ): Promise => { - const managementLinks = await getManagementLinkItems(core, plugins); - const casesLinks = getCasesLinkItems(); + const managementFilteredLinks = await getManagementFilteredLinks(core, plugins); return Object.freeze([ dashboardsLandingLinks, @@ -28,6 +39,6 @@ export const getAppLinks = async ( casesLinks, threatHuntingLandingLinks, gettingStartedLinks, - managementLinks, + managementFilteredLinks, ]); }; diff --git a/x-pack/plugins/security_solution/public/common/links/links.test.ts b/x-pack/plugins/security_solution/public/common/links/links.test.ts index 896f9357077c8..7493cab82a48e 100644 --- a/x-pack/plugins/security_solution/public/common/links/links.test.ts +++ b/x-pack/plugins/security_solution/public/common/links/links.test.ts @@ -17,7 +17,7 @@ import { getLinkInfo, needsUrlState, updateAppLinks, - excludeAppLink, + useLinkExists, } from './links'; const defaultAppLinks: AppLinkItems = [ @@ -56,6 +56,10 @@ const mockLicense = { const renderUseAppLinks = () => renderHook<{}, AppLinkItems>(() => useAppLinks(), { wrapper: TestProviders }); +const renderUseLinkExists = (id: SecurityPageName) => + renderHook(() => useLinkExists(id), { + wrapper: TestProviders, + }); describe('Security app links', () => { beforeEach(() => { @@ -159,27 +163,68 @@ describe('Security app links', () => { }); }); - describe('excludeAppLink', () => { - it('should exclude link from app links', async () => { - const { result, waitForNextUpdate } = renderUseAppLinks(); + describe('useLinkExists', () => { + it('should return true if the link exists', () => { + const { result } = renderUseLinkExists(SecurityPageName.hostsEvents); + expect(result.current).toBe(true); + }); + + it('should return false if the link does not exists', () => { + const { result } = renderUseLinkExists(SecurityPageName.rules); + expect(result.current).toBe(false); + }); + + it('should update if the links are removed', async () => { + const { result, waitForNextUpdate } = renderUseLinkExists(SecurityPageName.hostsEvents); + expect(result.current).toBe(true); await act(async () => { - excludeAppLink(SecurityPageName.hostsEvents); + updateAppLinks( + [ + { + id: SecurityPageName.hosts, + title: 'Hosts', + path: '/hosts', + }, + ], + { + capabilities: mockCapabilities, + experimentalFeatures: mockExperimentalDefaults, + license: mockLicense, + } + ); await waitForNextUpdate(); }); - expect(result.current).toStrictEqual([ - { - id: SecurityPageName.hosts, - title: 'Hosts', - path: '/hosts', - links: [ + expect(result.current).toBe(false); + }); + + it('should update if the links are added', async () => { + const { result, waitForNextUpdate } = renderUseLinkExists(SecurityPageName.rules); + expect(result.current).toBe(false); + await act(async () => { + updateAppLinks( + [ { - id: SecurityPageName.hostsAuthentications, - title: 'Authentications', - path: `/hosts/authentications`, + id: SecurityPageName.hosts, + title: 'Hosts', + path: '/hosts', + links: [ + { + id: SecurityPageName.rules, + title: 'Rules', + path: '/rules', + }, + ], }, ], - }, - ]); + { + capabilities: mockCapabilities, + experimentalFeatures: mockExperimentalDefaults, + license: mockLicense, + } + ); + await waitForNextUpdate(); + }); + expect(result.current).toBe(true); }); }); diff --git a/x-pack/plugins/security_solution/public/common/links/links.ts b/x-pack/plugins/security_solution/public/common/links/links.ts index 384861a9dc5e7..de0c5713bf6bf 100644 --- a/x-pack/plugins/security_solution/public/common/links/links.ts +++ b/x-pack/plugins/security_solution/public/common/links/links.ts @@ -57,6 +57,23 @@ export const useAppLinks = (): AppLinkItems => { return appLinks; }; +/** + * Hook to check if a link exists in the application links, + * It can be used to know if a link access is authorized. + */ +export const useLinkExists = (id: SecurityPageName): boolean => { + const [linkExists, setLinkExists] = useState(!!getNormalizedLink(id)); + + useEffect(() => { + const linksSubscription = subscribeAppLinks(() => { + setLinkExists(!!getNormalizedLink(id)); + }); + return () => linksSubscription.unsubscribe(); + }, [id]); + + return linkExists; +}; + /** * Updates the app links applying the filter by permissions */ @@ -71,44 +88,6 @@ export const updateAppLinks = ( }); }; -/** - * Excludes a link by id from the current app links - * @deprecated this function will not be needed when async link filtering is migrated to the main getAppLinks functions - */ -export const excludeAppLink = (linkId: SecurityPageName) => { - const { links, normalizedLinks } = appLinksUpdater$.getValue(); - if (!normalizedLinks[linkId]) { - return; - } - - let found = false; - const excludeRec = (currentLinks: AppLinkItems): LinkItem[] => - currentLinks.reduce((acc, link) => { - if (!found) { - if (link.id === linkId) { - found = true; - return acc; - } - if (link.links) { - const excludedLinks = excludeRec(link.links); - if (excludedLinks.length > 0) { - acc.push({ ...link, links: excludedLinks }); - return acc; - } - } - } - acc.push(link); - return acc; - }, []); - - const excludedLinks = excludeRec(links); - - appLinksUpdater$.next({ - links: Object.freeze(excludedLinks), - normalizedLinks: Object.freeze(getNormalizedLinks(excludedLinks)), - }); -}; - /** * Returns the `LinkInfo` from a link id parameter */ diff --git a/x-pack/plugins/security_solution/public/common/utils/empty_view/use_show_pages_with_empty_view.tsx b/x-pack/plugins/security_solution/public/common/utils/empty_view/use_show_pages_with_empty_view.tsx index 175aa487a112e..51c8b3bdd3ddf 100644 --- a/x-pack/plugins/security_solution/public/common/utils/empty_view/use_show_pages_with_empty_view.tsx +++ b/x-pack/plugins/security_solution/public/common/utils/empty_view/use_show_pages_with_empty_view.tsx @@ -18,6 +18,7 @@ const isPageNameWithEmptyView = (currentName: string) => { SecurityPageName.timelines, SecurityPageName.overview, SecurityPageName.users, + SecurityPageName.kubernetes, ]; return pageNamesWithEmptyView.includes(currentName); }; diff --git a/x-pack/plugins/security_solution/public/common/utils/timeline/use_show_timeline.test.tsx b/x-pack/plugins/security_solution/public/common/utils/timeline/use_show_timeline.test.tsx index 379e23c6aad94..9968785e884fa 100644 --- a/x-pack/plugins/security_solution/public/common/utils/timeline/use_show_timeline.test.tsx +++ b/x-pack/plugins/security_solution/public/common/utils/timeline/use_show_timeline.test.tsx @@ -6,12 +6,10 @@ */ import { renderHook, act } from '@testing-library/react-hooks'; -import { coreMock } from '@kbn/core/public/mocks'; import { allowedExperimentalValues } from '../../../../common/experimental_features'; import { updateAppLinks } from '../../links'; -import { getAppLinks } from '../../links/app_links'; +import { links } from '../../links/app_links'; import { useShowTimeline } from './use_show_timeline'; -import { StartPlugins } from '../../../types'; const mockUseLocation = jest.fn().mockReturnValue({ pathname: '/overview' }); jest.mock('react-router-dom', () => { @@ -38,10 +36,9 @@ jest.mock('../../components/navigation/helpers', () => ({ })); describe('use show timeline', () => { - beforeAll(async () => { + beforeAll(() => { // initialize all App links before running test - const appLinks = await getAppLinks(coreMock.createStart(), {} as StartPlugins); - updateAppLinks(appLinks, { + updateAppLinks(links, { experimentalFeatures: allowedExperimentalValues, capabilities: { navLinks: {}, diff --git a/x-pack/plugins/security_solution/public/kubernetes/index.ts b/x-pack/plugins/security_solution/public/kubernetes/index.ts new file mode 100644 index 0000000000000..683e30a720f1a --- /dev/null +++ b/x-pack/plugins/security_solution/public/kubernetes/index.ts @@ -0,0 +1,19 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { SecuritySubPlugin } from '../app/types'; +import { routes } from './routes'; + +export class Kubernetes { + public setup() {} + + public start(): SecuritySubPlugin { + return { + routes, + }; + } +} diff --git a/x-pack/plugins/security_solution/public/kubernetes/links.ts b/x-pack/plugins/security_solution/public/kubernetes/links.ts new file mode 100644 index 0000000000000..858c18b7c5c95 --- /dev/null +++ b/x-pack/plugins/security_solution/public/kubernetes/links.ts @@ -0,0 +1,19 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { KUBERNETES_PATH, SecurityPageName } from '../../common/constants'; +import { KUBERNETES } from '../app/translations'; +import { LinkItem } from '../common/links/types'; + +export const links: LinkItem = { + id: SecurityPageName.kubernetes, + title: KUBERNETES, + path: KUBERNETES_PATH, + globalNavEnabled: true, + experimentalKey: 'kubernetesEnabled', + globalSearchKeywords: ['Kubernetes'], + globalNavOrder: 9005, +}; diff --git a/x-pack/plugins/security_solution/public/kubernetes/pages/index.tsx b/x-pack/plugins/security_solution/public/kubernetes/pages/index.tsx new file mode 100644 index 0000000000000..6cb28c7a59ce2 --- /dev/null +++ b/x-pack/plugins/security_solution/public/kubernetes/pages/index.tsx @@ -0,0 +1,41 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; +import { SecuritySolutionPageWrapper } from '../../common/components/page_wrapper'; +import { useKibana } from '../../common/lib/kibana'; +import { SecurityPageName } from '../../../common/constants'; +import { SpyRoute } from '../../common/utils/route/spy_routes'; +import { FiltersGlobal } from '../../common/components/filters_global'; +import { SiemSearchBar } from '../../common/components/search_bar'; +import { showGlobalFilters } from '../../timelines/components/timeline/helpers'; +import { useGlobalFullScreen } from '../../common/containers/use_full_screen'; +import { useSourcererDataView } from '../../common/containers/sourcerer'; + +export const KubernetesContainer = React.memo(() => { + const { kubernetesSecurity } = useKibana().services; + const { globalFullScreen } = useGlobalFullScreen(); + const { + indexPattern, + // runtimeMappings, + // loading: isLoadingIndexPattern, + } = useSourcererDataView(); + return ( + + {kubernetesSecurity.getKubernetesPage({ + filter: ( + + + + ), + })} + + + ); +}); + +KubernetesContainer.displayName = 'KubernetesContainer'; diff --git a/x-pack/plugins/security_solution/public/kubernetes/pages/utils/breadcrumbs.ts b/x-pack/plugins/security_solution/public/kubernetes/pages/utils/breadcrumbs.ts new file mode 100644 index 0000000000000..cc512732fe416 --- /dev/null +++ b/x-pack/plugins/security_solution/public/kubernetes/pages/utils/breadcrumbs.ts @@ -0,0 +1,35 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { ChromeBreadcrumb } from '@kbn/core/public'; +import { RouteSpyState } from '../../../common/utils/route/types'; +import { SecurityPageName } from '../../../app/types'; +import { + getKubernetesDetailsUrl, + GetSecuritySolutionUrl, +} from '../../../common/components/link_to'; + +export const getTrailingBreadcrumbs = ( + params: RouteSpyState, + getSecuritySolutionUrl: GetSecuritySolutionUrl +): ChromeBreadcrumb[] => { + let breadcrumb: ChromeBreadcrumb[] = []; + + if (params.detailName != null) { + breadcrumb = [ + { + text: params.detailName, + href: getSecuritySolutionUrl({ + path: getKubernetesDetailsUrl(params.detailName, ''), + deepLinkId: SecurityPageName.kubernetes, + }), + }, + ]; + } + + return breadcrumb; +}; diff --git a/x-pack/plugins/security_solution/public/kubernetes/routes.tsx b/x-pack/plugins/security_solution/public/kubernetes/routes.tsx new file mode 100644 index 0000000000000..b3116d408b3a6 --- /dev/null +++ b/x-pack/plugins/security_solution/public/kubernetes/routes.tsx @@ -0,0 +1,26 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; +import { TrackApplicationView } from '@kbn/usage-collection-plugin/public'; +import { KubernetesContainer } from './pages'; + +import { SecurityPageName, SecuritySubPluginRoutes } from '../app/types'; +import { KUBERNETES_PATH } from '../../common/constants'; + +export const KubernetesRoutes = () => ( + + + +); + +export const routes: SecuritySubPluginRoutes = [ + { + path: KUBERNETES_PATH, + render: KubernetesRoutes, + }, +]; diff --git a/x-pack/plugins/security_solution/public/landing_pages/links.ts b/x-pack/plugins/security_solution/public/landing_pages/links.ts index 3c8ec59632deb..c001761ff629f 100644 --- a/x-pack/plugins/security_solution/public/landing_pages/links.ts +++ b/x-pack/plugins/security_solution/public/landing_pages/links.ts @@ -18,6 +18,7 @@ import { overviewLinks, detectionResponseLinks } from '../overview/links'; import { links as hostsLinks } from '../hosts/links'; import { links as networkLinks } from '../network/links'; import { links as usersLinks } from '../users/links'; +import { links as kubernetesLinks } from '../kubernetes/links'; export const dashboardsLandingLinks: LinkItem = { id: SecurityPageName.dashboardsLanding, @@ -46,7 +47,7 @@ export const threatHuntingLandingLinks: LinkItem = { defaultMessage: 'Explore', }), ], - links: [hostsLinks, networkLinks, usersLinks], + links: [hostsLinks, networkLinks, usersLinks, kubernetesLinks], skipUrlState: true, hideTimeline: true, }; diff --git a/x-pack/plugins/security_solution/public/lazy_sub_plugins.tsx b/x-pack/plugins/security_solution/public/lazy_sub_plugins.tsx index a9562207f9eaa..abced3257c681 100644 --- a/x-pack/plugins/security_solution/public/lazy_sub_plugins.tsx +++ b/x-pack/plugins/security_solution/public/lazy_sub_plugins.tsx @@ -17,6 +17,7 @@ import { Exceptions } from './exceptions'; import { Hosts } from './hosts'; import { Users } from './users'; import { Network } from './network'; +import { Kubernetes } from './kubernetes'; import { Overview } from './overview'; import { Rules } from './rules'; @@ -34,6 +35,7 @@ const subPluginClasses = { Hosts, Users, Network, + Kubernetes, Overview, Rules, diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_console/endpoint_response_actions_console_commands.ts b/x-pack/plugins/security_solution/public/management/components/endpoint_console/endpoint_response_actions_console_commands.ts index 161b2aaff4d3e..7f1eeeabfd69a 100644 --- a/x-pack/plugins/security_solution/public/management/components/endpoint_console/endpoint_response_actions_console_commands.ts +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_console/endpoint_response_actions_console_commands.ts @@ -8,6 +8,7 @@ import { i18n } from '@kbn/i18n'; import { CommandDefinition } from '../console'; import { IsolateActionResult } from './isolate_action'; +import { ReleaseActionResult } from './release_action'; import { EndpointStatusActionResult } from './status_action'; export const getEndpointResponseActionsConsoleCommands = ( @@ -28,7 +29,27 @@ export const getEndpointResponseActionsConsoleCommands = ( required: false, allowMultiples: false, about: i18n.translate( - 'xpack.securitySolution.endpointConsoleCommands.isolate.arg.command', + 'xpack.securitySolution.endpointConsoleCommands.isolate.arg.comment', + { defaultMessage: 'A comment to go along with the action' } + ), + }, + }, + }, + { + name: 'release', + about: i18n.translate('xpack.securitySolution.endpointConsoleCommands.release.about', { + defaultMessage: 'Release the host', + }), + RenderComponent: ReleaseActionResult, + meta: { + endpointId: endpointAgentId, + }, + args: { + comment: { + required: false, + allowMultiples: false, + about: i18n.translate( + 'xpack.securitySolution.endpointConsoleCommands.release.arg.comment', { defaultMessage: 'A comment to go along with the action' } ), }, diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_console/release_action.test.tsx b/x-pack/plugins/security_solution/public/management/components/endpoint_console/release_action.test.tsx new file mode 100644 index 0000000000000..746f2ec5d72a4 --- /dev/null +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_console/release_action.test.tsx @@ -0,0 +1,175 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { AppContextTestRender, createAppRootMockRenderer } from '../../../common/mock/endpoint'; +import { + ConsoleManagerTestComponent, + getConsoleManagerMockRenderResultQueriesAndActions, +} from '../console/components/console_manager/mocks'; +import React from 'react'; +import { getEndpointResponseActionsConsoleCommands } from './endpoint_response_actions_console_commands'; +import { enterConsoleCommand } from '../console/mocks'; +import { waitFor } from '@testing-library/react'; +import { responseActionsHttpMocks } from '../../mocks/response_actions_http_mocks'; + +describe('When using the release action from response actions console', () => { + let render: () => Promise>; + let renderResult: ReturnType; + let apiMocks: ReturnType; + let consoleManagerMockAccess: ReturnType< + typeof getConsoleManagerMockRenderResultQueriesAndActions + >; + + beforeEach(() => { + const mockedContext = createAppRootMockRenderer(); + + apiMocks = responseActionsHttpMocks(mockedContext.coreStart.http); + + render = async () => { + renderResult = mockedContext.render( + { + return { + consoleProps: { + 'data-test-subj': 'test', + commands: getEndpointResponseActionsConsoleCommands('a.b.c'), + }, + }; + }} + /> + ); + + consoleManagerMockAccess = getConsoleManagerMockRenderResultQueriesAndActions(renderResult); + + await consoleManagerMockAccess.clickOnRegisterNewConsole(); + await consoleManagerMockAccess.openRunningConsole(); + + return renderResult; + }; + }); + + it('should call `release` api when command is entered', async () => { + await render(); + enterConsoleCommand(renderResult, 'release'); + + await waitFor(() => { + expect(apiMocks.responseProvider.releaseHost).toHaveBeenCalledTimes(1); + expect(apiMocks.responseProvider.actionDetails).toHaveBeenCalled(); + }); + }); + + it('should accept an optional `--comment`', async () => { + await render(); + enterConsoleCommand(renderResult, 'release --comment "This is a comment"'); + + await waitFor(() => { + expect(apiMocks.responseProvider.releaseHost).toHaveBeenCalledWith( + expect.objectContaining({ + body: expect.stringContaining('This is a comment'), + }) + ); + }); + }); + + it('should only accept one `--comment`', async () => { + await render(); + enterConsoleCommand(renderResult, 'release --comment "one" --comment "two"'); + + expect(renderResult.getByTestId('test-badArgument').textContent).toMatch( + /argument can only be used once: --comment/ + ); + }); + + it('should call the action status api after creating the `release` request', async () => { + await render(); + enterConsoleCommand(renderResult, 'release'); + + await waitFor(() => { + expect(apiMocks.responseProvider.actionDetails).toHaveBeenCalled(); + }); + }); + + it('should show success when `release` action completes with no errors', async () => { + await render(); + enterConsoleCommand(renderResult, 'release'); + + await waitFor(() => { + expect(renderResult.getByTestId('releaseSuccessCallout')).toBeTruthy(); + }); + }); + + it('should show error if release failed to complete successfully', async () => { + const pendingDetailResponse = apiMocks.responseProvider.actionDetails({ + path: '/api/endpoint/action/1.2.3', + }); + pendingDetailResponse.data.wasSuccessful = false; + pendingDetailResponse.data.errors = ['error one', 'error two']; + apiMocks.responseProvider.actionDetails.mockReturnValue(pendingDetailResponse); + await render(); + enterConsoleCommand(renderResult, 'release'); + + await waitFor(() => { + expect(renderResult.getByTestId('releaseErrorCallout').textContent).toMatch( + /error one \| error two/ + ); + }); + }); + + describe('and when console is closed (not terminated) and then reopened', () => { + beforeEach(() => { + const _render = render; + + render = async () => { + const response = await _render(); + enterConsoleCommand(response, 'release'); + + await waitFor(() => { + expect(apiMocks.responseProvider.releaseHost).toHaveBeenCalledTimes(1); + }); + + // Hide the console + await consoleManagerMockAccess.hideOpenedConsole(); + + return response; + }; + }); + + it('should NOT send the `release` request again', async () => { + await render(); + await consoleManagerMockAccess.openRunningConsole(); + + expect(apiMocks.responseProvider.releaseHost).toHaveBeenCalledTimes(1); + }); + + it('should continue to check action status when still pending', async () => { + const pendingDetailResponse = apiMocks.responseProvider.actionDetails({ + path: '/api/endpoint/action/1.2.3', + }); + pendingDetailResponse.data.isCompleted = false; + apiMocks.responseProvider.actionDetails.mockReturnValue(pendingDetailResponse); + await render(); + + expect(apiMocks.responseProvider.actionDetails).toHaveBeenCalledTimes(2); + + await consoleManagerMockAccess.hideOpenedConsole(); + await consoleManagerMockAccess.openRunningConsole(); + + expect(apiMocks.responseProvider.actionDetails).toHaveBeenCalledTimes(3); + }); + + it('should display completion output if done (no additional API calls)', async () => { + await render(); + + expect(apiMocks.responseProvider.actionDetails).toHaveBeenCalledTimes(1); + + await consoleManagerMockAccess.hideOpenedConsole(); + await consoleManagerMockAccess.openRunningConsole(); + + expect(apiMocks.responseProvider.actionDetails).toHaveBeenCalledTimes(1); + }); + }); +}); diff --git a/x-pack/plugins/security_solution/public/management/components/endpoint_console/release_action.tsx b/x-pack/plugins/security_solution/public/management/components/endpoint_console/release_action.tsx new file mode 100644 index 0000000000000..3e2ae27ffbf09 --- /dev/null +++ b/x-pack/plugins/security_solution/public/management/components/endpoint_console/release_action.tsx @@ -0,0 +1,119 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React, { memo, useEffect } from 'react'; +import { i18n } from '@kbn/i18n'; +import { FormattedMessage } from '@kbn/i18n-react'; +import { EuiCallOut } from '@elastic/eui'; +import { ActionDetails } from '../../../../common/endpoint/types'; +import { useGetActionDetails } from '../../hooks/endpoint/use_get_action_details'; +import { EndpointCommandDefinitionMeta } from './types'; +import { useSendReleaseEndpointRequest } from '../../hooks/endpoint/use_send_release_endpoint_request'; +import { CommandExecutionComponentProps } from '../console/types'; + +export const ReleaseActionResult = memo< + CommandExecutionComponentProps< + { + actionId?: string; + actionRequestSent?: boolean; + completedActionDetails?: ActionDetails; + }, + EndpointCommandDefinitionMeta + > +>(({ command, setStore, store, status, setStatus }) => { + const endpointId = command.commandDefinition?.meta?.endpointId; + const { actionId, completedActionDetails } = store; + const isPending = status === 'pending'; + const actionRequestSent = Boolean(store.actionRequestSent); + + const releaseHostApi = useSendReleaseEndpointRequest(); + + const { data: actionDetails } = useGetActionDetails(actionId ?? '-', { + enabled: Boolean(actionId) && isPending, + refetchInterval: isPending ? 3000 : false, + }); + + // Send Release request if not yet done + useEffect(() => { + if (!actionRequestSent && endpointId) { + releaseHostApi.mutate({ + endpoint_ids: [endpointId], + comment: command.args.args?.comment?.value, + }); + + setStore((prevState) => { + return { ...prevState, actionRequestSent: true }; + }); + } + }, [actionRequestSent, command.args.args?.comment?.value, endpointId, releaseHostApi, setStore]); + + // If release request was created, store the action id if necessary + useEffect(() => { + if (releaseHostApi.isSuccess && actionId !== releaseHostApi.data.action) { + setStore((prevState) => { + return { ...prevState, actionId: releaseHostApi.data.action }; + }); + } + }, [actionId, releaseHostApi?.data?.action, releaseHostApi.isSuccess, setStore]); + + useEffect(() => { + if (actionDetails?.data.isCompleted) { + setStatus('success'); + setStore((prevState) => { + return { + ...prevState, + completedActionDetails: actionDetails.data, + }; + }); + } + }, [actionDetails?.data, setStatus, setStore]); + + // Show nothing if still pending + if (isPending) { + return null; + } + + // Show errors + if (completedActionDetails?.errors) { + return ( + + + + ); + } + + // Show Success + return ( + + + + ); +}); +ReleaseActionResult.displayName = 'ReleaseActionResult'; diff --git a/x-pack/plugins/security_solution/public/management/components/management_empty_state.tsx b/x-pack/plugins/security_solution/public/management/components/management_empty_state.tsx index 80dd9e9563bb5..d1833c2df0ba2 100644 --- a/x-pack/plugins/security_solution/public/management/components/management_empty_state.tsx +++ b/x-pack/plugins/security_solution/public/management/components/management_empty_state.tsx @@ -62,7 +62,7 @@ const PolicyEmptyState = React.memo<{

@@ -78,12 +78,12 @@ const PolicyEmptyState = React.memo<{ {policyEntryPoint ? ( ) : ( )} @@ -91,7 +91,7 @@ const PolicyEmptyState = React.memo<{ @@ -181,7 +181,8 @@ const EndpointsEmptyState = React.memo<{ }, { title: i18n.translate('xpack.securitySolution.endpoint.list.stepTwoTitle', { - defaultMessage: 'Enroll your agents enabled with Endpoint Security through Fleet', + defaultMessage: + 'Enroll your agents enabled with Endpoint and Cloud Security through Fleet', }), status: actionDisabled ? 'disabled' : '', children: ( @@ -222,13 +223,13 @@ const EndpointsEmptyState = React.memo<{ headerComponent={ } bodyComponent={ } /> diff --git a/x-pack/plugins/security_solution/public/management/hooks/endpoint/use_send_release_endpoint_request.ts b/x-pack/plugins/security_solution/public/management/hooks/endpoint/use_send_release_endpoint_request.ts new file mode 100644 index 0000000000000..297265953bfed --- /dev/null +++ b/x-pack/plugins/security_solution/public/management/hooks/endpoint/use_send_release_endpoint_request.ts @@ -0,0 +1,30 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { useMutation, UseMutationOptions, UseMutationResult } from 'react-query'; +import { HttpFetchError } from '@kbn/core/public'; +import { HostIsolationRequestBody, HostIsolationResponse } from '../../../../common/endpoint/types'; +import { unIsolateHost } from '../../../common/lib/endpoint_isolation'; + +/** + * Create host release requests + * @param customOptions + */ +export const useSendReleaseEndpointRequest = ( + customOptions?: UseMutationOptions< + HostIsolationResponse, + HttpFetchError, + HostIsolationRequestBody + > +): UseMutationResult => { + return useMutation( + (releaseData: HostIsolationRequestBody) => { + return unIsolateHost(releaseData); + }, + customOptions + ); +}; diff --git a/x-pack/plugins/security_solution/public/management/links.ts b/x-pack/plugins/security_solution/public/management/links.ts index 9316f92a0d0b8..7ff9fc689014d 100644 --- a/x-pack/plugins/security_solution/public/management/links.ts +++ b/x-pack/plugins/security_solution/public/management/links.ts @@ -67,7 +67,7 @@ const categories = [ }, ]; -const links: LinkItem = { +export const links: LinkItem = { id: SecurityPageName.administration, title: MANAGE, path: MANAGE_PATH, @@ -132,7 +132,7 @@ const links: LinkItem = { landingIcon: IconEndpoints, globalNavEnabled: true, title: ENDPOINTS, - globalNavOrder: 9006, + globalNavOrder: 9008, path: ENDPOINTS_PATH, skipUrlState: true, hideTimeline: true, @@ -201,7 +201,10 @@ const links: LinkItem = { ], }; -export const getManagementLinkItems = async (core: CoreStart, plugins: StartPlugins) => { +export const getManagementFilteredLinks = async ( + core: CoreStart, + plugins: StartPlugins +): Promise => { // TODO: implement async logic to exclude links return links; }; diff --git a/x-pack/plugins/security_solution/public/management/pages/policy/view/policy_list.test.tsx b/x-pack/plugins/security_solution/public/management/pages/policy/view/policy_list.test.tsx index 3ea50af79a9c3..6d9ade15971eb 100644 --- a/x-pack/plugins/security_solution/public/management/pages/policy/view/policy_list.test.tsx +++ b/x-pack/plugins/security_solution/public/management/pages/policy/view/policy_list.test.tsx @@ -62,7 +62,7 @@ describe('When on the policy list page', () => { it('should show instruction text and a button to add the Endpoint Security integration', () => { expect( renderResult.findByText( - 'From this page, you’ll be able to view and manage the Endpoint Security Integration policies in your environment running Endpoint Security.' + 'From this page, you’ll be able to view and manage the Endpoint and Cloud Security Integration policies in your environment running Endpoint and Cloud Security.' ) ).toBeTruthy(); expect(renderResult.getByTestId('onboardingStartButton')).toBeTruthy(); diff --git a/x-pack/plugins/security_solution/public/network/components/source_destination/source_destination_arrows.tsx b/x-pack/plugins/security_solution/public/network/components/source_destination/source_destination_arrows.tsx index 6858520340aae..deca4438ba93c 100644 --- a/x-pack/plugins/security_solution/public/network/components/source_destination/source_destination_arrows.tsx +++ b/x-pack/plugins/security_solution/public/network/components/source_destination/source_destination_arrows.tsx @@ -69,7 +69,7 @@ const SourceArrow = React.memo<{ return ( - + {sourceBytes != null && !isNaN(Number(sourceBytes)) ? ( @@ -95,7 +95,7 @@ const SourceArrow = React.memo<{ ) : null} - + {sourcePackets != null && !isNaN(Number(sourcePackets)) ? ( @@ -114,7 +114,7 @@ const SourceArrow = React.memo<{ ) : null} - + @@ -158,7 +158,7 @@ const DestinationArrow = React.memo<{ - + {destinationBytes != null && !isNaN(Number(destinationBytes)) ? ( @@ -184,7 +184,7 @@ const DestinationArrow = React.memo<{ ) : null} - + {destinationPackets != null && !isNaN(Number(destinationPackets)) ? ( @@ -205,7 +205,7 @@ const DestinationArrow = React.memo<{ ) : null} - + ); diff --git a/x-pack/plugins/security_solution/public/network/containers/details/index.tsx b/x-pack/plugins/security_solution/public/network/containers/details/index.tsx index cadc0e0000e6a..31af3c6cd2ab6 100644 --- a/x-pack/plugins/security_solution/public/network/containers/details/index.tsx +++ b/x-pack/plugins/security_solution/public/network/containers/details/index.tsx @@ -16,7 +16,6 @@ import { inputsModel } from '../../../common/store'; import { useKibana } from '../../../common/lib/kibana'; import { createFilter } from '../../../common/containers/helpers'; import { - DocValueFields, NetworkQueries, NetworkDetailsRequestOptions, NetworkDetailsStrategyResponse, @@ -38,7 +37,6 @@ export interface NetworkDetailsArgs { interface UseNetworkDetails { id?: string; - docValueFields: DocValueFields[]; ip: string; indexNames: string[]; filterQuery?: ESTermQuery | string; @@ -46,7 +44,6 @@ interface UseNetworkDetails { } export const useNetworkDetails = ({ - docValueFields, filterQuery, indexNames, id = ID, @@ -126,7 +123,6 @@ export const useNetworkDetails = ({ const myRequest = { ...(prevRequest ?? {}), defaultIndex: indexNames, - docValueFields: docValueFields ?? [], factoryQueryType: NetworkQueries.details, filterQuery: createFilter(filterQuery), ip, @@ -136,7 +132,7 @@ export const useNetworkDetails = ({ } return prevRequest; }); - }, [indexNames, filterQuery, ip, docValueFields, id]); + }, [indexNames, filterQuery, ip, id]); useEffect(() => { networkDetailsSearch(networkDetailsRequest); diff --git a/x-pack/plugins/security_solution/public/network/pages/details/index.tsx b/x-pack/plugins/security_solution/public/network/pages/details/index.tsx index f28798af68dc2..bcaf7b6e8a746 100644 --- a/x-pack/plugins/security_solution/public/network/pages/details/index.tsx +++ b/x-pack/plugins/security_solution/public/network/pages/details/index.tsx @@ -104,7 +104,6 @@ const NetworkDetailsComponent: React.FC = () => { useInvalidFilterQuery({ id: ID, filterQuery, kqlError, query, startDate: from, endDate: to }); const [loading, { id, inspect, networkDetails, refetch }] = useNetworkDetails({ - docValueFields, skip: isInitializing, filterQuery, indexNames: selectedPatterns, diff --git a/x-pack/plugins/security_solution/public/plugin.tsx b/x-pack/plugins/security_solution/public/plugin.tsx index 904ccb50bf6b2..4548857ba225b 100644 --- a/x-pack/plugins/security_solution/public/plugin.tsx +++ b/x-pack/plugins/security_solution/public/plugin.tsx @@ -49,7 +49,7 @@ import { } from '../common/constants'; import { getDeepLinks, registerDeepLinksUpdater } from './app/deep_links'; -import { AppLinkItems, subscribeAppLinks, updateAppLinks } from './common/links'; +import { AppLinkItems, LinksPermissions, subscribeAppLinks, updateAppLinks } from './common/links'; import { getSubPluginRoutesByCapabilities, manageOldSiemRoutes } from './helpers'; import { SecurityAppStore } from './common/store/store'; import { licenseService } from './common/hooks/use_license'; @@ -239,64 +239,8 @@ export class Plugin implements IPlugin { - getAppLinks(core, plugins).then((appLinks) => { - if (licensing !== null) { - this.licensingSubscription = licensing.subscribe((currentLicense) => { - if (currentLicense.type !== undefined) { - updateAppLinks(appLinks, { - experimentalFeatures: this.experimentalFeatures, - license: currentLicense, - capabilities: core.application.capabilities, - }); - - if (!newNavEnabled) { - // TODO: remove block when nav flag no longer needed - this.appUpdater$.next(() => ({ - navLinkStatus: AppNavLinkStatus.hidden, // workaround to prevent main navLink to switch to visible after update. should not be needed - deepLinks: getDeepLinks( - this.experimentalFeatures, - currentLicense.type, - core.application.capabilities - ), - })); - } - } - }); - } else { - updateAppLinks(appLinks, { - experimentalFeatures: this.experimentalFeatures, - capabilities: core.application.capabilities, - }); - - if (!newNavEnabled) { - // TODO: remove block when nav flag no longer needed - this.appUpdater$.next(() => ({ - navLinkStatus: AppNavLinkStatus.hidden, // workaround to prevent main navLink to switch to visible after update. should not be needed - deepLinks: getDeepLinks( - this.experimentalFeatures, - undefined, - core.application.capabilities - ), - })); - } - } - }); - }); + this.registerAppLinks(core, plugins); return {}; } @@ -374,6 +318,7 @@ export class Plugin implements IPlugin ({ + navLinkStatus: AppNavLinkStatus.hidden, // workaround to prevent main navLink to switch to visible after update. should not be needed + deepLinks: getDeepLinks( + this.experimentalFeatures, + undefined, + core.application.capabilities + ), + })); + } + + // async links filtering + updateAppLinks(await getFilteredLinks(core, plugins), linksPermissions); + + return; + } + + this.licensingSubscription = licensing.subscribe(async (currentLicense) => { + if (currentLicense.type !== undefined) { + linksPermissions.license = currentLicense; + } + + // set initial links to not block rendering + updateAppLinks(links, linksPermissions); + + if (!newNavEnabled) { + // TODO: remove block when nav flag no longer needed + this.appUpdater$.next(() => ({ + navLinkStatus: AppNavLinkStatus.hidden, // workaround to prevent main navLink to switch to visible after update. should not be needed + deepLinks: getDeepLinks( + this.experimentalFeatures, + currentLicense.type, + core.application.capabilities + ), + })); + } + + // async links filtering + updateAppLinks(await getFilteredLinks(core, plugins), linksPermissions); + }); + } } diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/network_details/expandable_network.tsx b/x-pack/plugins/security_solution/public/timelines/components/side_panel/network_details/expandable_network.tsx index 440d8280e19aa..6df8dbc307e7a 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/network_details/expandable_network.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/network_details/expandable_network.tsx @@ -98,7 +98,7 @@ export const ExpandableNetworkDetails = ({ services: { uiSettings }, } = useKibana(); - const { docValueFields, indicesExist, indexPattern, selectedPatterns } = useSourcererDataView(); + const { indicesExist, indexPattern, selectedPatterns } = useSourcererDataView(); const [filterQuery, kqlError] = convertToBuildEsQuery({ config: getEsQueryConfig(uiSettings), indexPattern, @@ -107,7 +107,6 @@ export const ExpandableNetworkDetails = ({ }); const [loading, { id, networkDetails }] = useNetworkDetails({ - docValueFields, skip: isInitializing || filterQuery === undefined, filterQuery, indexNames: selectedPatterns, diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/data_driven_columns/index.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/data_driven_columns/index.test.tsx index bff9aa1460237..8e7a2638f4b8e 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/data_driven_columns/index.test.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/data_driven_columns/index.test.tsx @@ -15,7 +15,7 @@ import { mockTimelineData } from '../../../../../common/mock'; import { defaultHeaders } from '../column_headers/default_headers'; import { getDefaultControlColumn } from '../control_columns'; -import { DataDrivenColumns } from '.'; +import { DataDrivenColumns, getMappedNonEcsValue } from '.'; describe('Columns', () => { const headersSansTimestamp = defaultHeaders.filter((h) => h.id !== '@timestamp'); @@ -56,4 +56,39 @@ describe('Columns', () => { expect(wrapper).toMatchSnapshot(); }); + + describe('getMappedNonEcsValue', () => { + const existingField = 'Descarte'; + const existingValue = ['IThinkThereforeIAm']; + + test('should return the value if the fieldName is found', () => { + const result = getMappedNonEcsValue({ + data: [{ field: existingField, value: existingValue }], + fieldName: existingField, + }); + + expect(result).toBe(existingValue); + }); + + test('should return undefined if the value cannot be found in the array', () => { + const result = getMappedNonEcsValue({ + data: [{ field: existingField, value: existingValue }], + fieldName: 'nonExistent', + }); + + expect(result).toBeUndefined(); + }); + + test('should return undefined when data is an empty array', () => { + const result = getMappedNonEcsValue({ data: [], fieldName: existingField }); + + expect(result).toBeUndefined(); + }); + + test('should return undefined when data is undefined', () => { + const result = getMappedNonEcsValue({ data: undefined, fieldName: existingField }); + + expect(result).toBeUndefined(); + }); + }); }); diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/data_driven_columns/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/data_driven_columns/index.tsx index 3aa5b2ea7376b..031c6e9f98ef7 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/data_driven_columns/index.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/data_driven_columns/index.tsx @@ -441,9 +441,16 @@ export const getMappedNonEcsValue = ({ data, fieldName, }: { - data: TimelineNonEcsData[]; + data?: TimelineNonEcsData[]; fieldName: string; }): string[] | undefined => { + /* + While data _should_ always be defined + There is the potential for race conditions where a component using this function + is still visible in the UI, while the data has since been removed. + To cover all scenarios where this happens we'll check for the presence of data here + */ + if (!data || data.length === 0) return undefined; const item = data.find((d) => d.field === fieldName); if (item != null && item.value != null) { return item.value; @@ -455,7 +462,7 @@ export const useGetMappedNonEcsValue = ({ data, fieldName, }: { - data: TimelineNonEcsData[]; + data?: TimelineNonEcsData[]; fieldName: string; }): string[] | undefined => { return useMemo(() => getMappedNonEcsValue({ data, fieldName }), [data, fieldName]); diff --git a/x-pack/plugins/security_solution/public/timelines/links.ts b/x-pack/plugins/security_solution/public/timelines/links.ts index bd972efd8a02a..be79a9ef5ecf0 100644 --- a/x-pack/plugins/security_solution/public/timelines/links.ts +++ b/x-pack/plugins/security_solution/public/timelines/links.ts @@ -21,7 +21,7 @@ export const links: LinkItem = { defaultMessage: 'Timelines', }), ], - globalNavOrder: 9005, + globalNavOrder: 9006, links: [ { id: SecurityPageName.timelinesTemplates, diff --git a/x-pack/plugins/security_solution/public/types.ts b/x-pack/plugins/security_solution/public/types.ts index fca11f84a7abb..4e274a59349a0 100644 --- a/x-pack/plugins/security_solution/public/types.ts +++ b/x-pack/plugins/security_solution/public/types.ts @@ -26,6 +26,7 @@ import type { CasesUiStart } from '@kbn/cases-plugin/public'; import type { SecurityPluginSetup } from '@kbn/security-plugin/public'; import type { TimelinesUIStart } from '@kbn/timelines-plugin/public'; import type { SessionViewStart } from '@kbn/session-view-plugin/public'; +import type { KubernetesSecurityStart } from '@kbn/kubernetes-security-plugin/public'; import type { MlPluginSetup, MlPluginStart } from '@kbn/ml-plugin/public'; import type { OsqueryPluginStart } from '@kbn/osquery-plugin/public'; import type { LicensingPluginStart, LicensingPluginSetup } from '@kbn/licensing-plugin/public'; @@ -40,6 +41,7 @@ import type { Exceptions } from './exceptions'; import type { Hosts } from './hosts'; import type { Users } from './users'; import type { Network } from './network'; +import type { Kubernetes } from './kubernetes'; import type { Overview } from './overview'; import type { Rules } from './rules'; import type { Timelines } from './timelines'; @@ -63,6 +65,7 @@ export interface StartPlugins { embeddable: EmbeddableStart; inspector: InspectorStart; fleet?: FleetStart; + kubernetesSecurity: KubernetesSecurityStart; lens: LensPublicStart; lists?: ListsPluginStart; licensing: LicensingPluginStart; @@ -104,6 +107,7 @@ export interface SubPlugins { hosts: Hosts; users: Users; network: Network; + kubernetes: Kubernetes; overview: Overview; timelines: Timelines; management: Management; @@ -119,6 +123,7 @@ export interface StartedSubPlugins { hosts: ReturnType; users: ReturnType; network: ReturnType; + kubernetes: ReturnType; overview: ReturnType; timelines: ReturnType; management: ReturnType; diff --git a/x-pack/plugins/security_solution/server/search_strategy/helpers/format_response_object_values.test.ts b/x-pack/plugins/security_solution/server/search_strategy/helpers/format_response_object_values.test.ts new file mode 100644 index 0000000000000..830613e8bc5e0 --- /dev/null +++ b/x-pack/plugins/security_solution/server/search_strategy/helpers/format_response_object_values.test.ts @@ -0,0 +1,96 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { formatLocationAsGeoEcs, transformLocationFields } from './format_response_object_values'; + +describe('formatLocationAsGeoEcs', () => { + it('returns GeoEcs location if item has both coordinates', () => { + const res = formatLocationAsGeoEcs([ + { + coordinates: [-77.2481, 38.6583], + type: 'Point', + }, + ]); + expect(res).toEqual({ lon: [-77.2481], lat: [38.6583] }); + }); + + it('returns input item without geo formatting if it does not have both coordinates', () => { + const input = [ + { + coordinates: [-77.2481], + type: 'Point', + }, + ]; + const res = formatLocationAsGeoEcs(input); + expect(res).toEqual(input); + }); + + it('returns input item without geo formatting if the coordinates property is missing', () => { + const res = formatLocationAsGeoEcs(['test']); + expect(res).toEqual(['test']); + + const resEmpty = formatLocationAsGeoEcs([]); + expect(resEmpty).toEqual([]); + }); +}); + +describe('transformLocationFields', () => { + it('returns transformed location if it has a valid format and both coordinates', () => { + const res = transformLocationFields({ + 'source.geo.region_name': ['Virginia'], + 'source.geo.location': [ + { + coordinates: [-77.2481, 38.6583], + type: 'Point', + }, + ], + }); + expect(res).toEqual({ + 'source.geo.region_name': ['Virginia'], + 'source.geo.location': { lon: [-77.2481], lat: [38.6583] }, + }); + }); + + it('returns input item without geo transformation, if it does not have both coordinates', () => { + const input = { + someOtherFeild: ['test'], + 'some.geo.location': [ + { + coordinates: [-77.2481], + type: 'Point', + }, + ], + }; + const res = transformLocationFields(input); + expect(res).toEqual(input); + }); + + it('returns input item without geo transformation, if location is not a geo location', () => { + const input = { + someOtherFeild: ['test'], + 'some.location': [ + { + coordinates: [-77.2481, 67], + type: 'Point', + }, + ], + }; + const res = transformLocationFields(input); + expect(res).toEqual(input); + }); + + it('returns input item without geo formatting if the coordinates property is missing', () => { + const res = transformLocationFields({}); + expect(res).toEqual({}); + + const resEmpty = transformLocationFields({ + someOtherFeild: ['test'], + }); + expect(resEmpty).toEqual({ + someOtherFeild: ['test'], + }); + }); +}); diff --git a/x-pack/plugins/security_solution/server/search_strategy/helpers/format_response_object_values.ts b/x-pack/plugins/security_solution/server/search_strategy/helpers/format_response_object_values.ts index 0b418c0da410c..a20e5aba9fda1 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/helpers/format_response_object_values.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/helpers/format_response_object_values.ts @@ -6,8 +6,10 @@ */ import { mapValues, isObject, isArray } from 'lodash/fp'; +import { set } from '@elastic/safer-lodash-set'; import { toArray } from '../../../common/utils/to_array'; +import { isGeoField } from '../../../common/utils/field_formatters'; export const mapObjectValuesToStringArray = (object: object): object => mapValues((o) => { @@ -25,3 +27,34 @@ export const formatResponseObjectValues = (object: T | T[] | null) => { return object; }; + +interface GenericObject { + [key: string]: unknown; +} + +export const unflattenObject = (object: object): T => + Object.entries(object).reduce((acc, [key, value]) => { + set(acc, key, value); + return acc; + }, {} as T); + +export const formatLocationAsGeoEcs = (item: unknown[]) => { + const itemGeo = item.length > 0 ? (item[0] as { coordinates: number[] }) : null; + if (!!itemGeo && isArray(itemGeo.coordinates) && itemGeo.coordinates.length > 1) { + return { + lon: [itemGeo.coordinates[0]], + lat: [itemGeo.coordinates[1]], + }; + } + return item; +}; + +export const transformLocationFields = (locationFields: Record) => { + const transformed = { ...locationFields }; + Object.entries(transformed).forEach(([key, item]) => { + if (isGeoField(key)) { + transformed[key] = formatLocationAsGeoEcs(item as unknown[]); + } + }); + return transformed; +}; diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/details/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/details/__mocks__/index.ts index c121a0d7830a7..6690730825f56 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/details/__mocks__/index.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/details/__mocks__/index.ts @@ -23,108 +23,6 @@ export const mockOptions: NetworkDetailsRequestOptions = { 'packetbeat-*', 'winlogbeat-*', ], - docValueFields: [ - { field: '@timestamp', format: 'date_time' }, - { field: 'event.created', format: 'date_time' }, - { field: 'event.end', format: 'date_time' }, - { field: 'event.ingested', format: 'date_time' }, - { field: 'event.start', format: 'date_time' }, - { field: 'file.accessed', format: 'date_time' }, - { field: 'file.created', format: 'date_time' }, - { field: 'file.ctime', format: 'date_time' }, - { field: 'file.mtime', format: 'date_time' }, - { field: 'package.installed', format: 'date_time' }, - { field: 'process.parent.start', format: 'date_time' }, - { field: 'process.start', format: 'date_time' }, - { field: 'system.audit.host.boottime', format: 'date_time' }, - { field: 'system.audit.package.installtime', format: 'date_time' }, - { field: 'system.audit.user.password.last_changed', format: 'date_time' }, - { field: 'tls.client.not_after', format: 'date_time' }, - { field: 'tls.client.not_before', format: 'date_time' }, - { field: 'tls.server.not_after', format: 'date_time' }, - { field: 'tls.server.not_before', format: 'date_time' }, - { field: 'aws.cloudtrail.user_identity.session_context.creation_date', format: 'date_time' }, - { field: 'azure.auditlogs.properties.activity_datetime', format: 'date_time' }, - { field: 'azure.enqueued_time', format: 'date_time' }, - { field: 'azure.signinlogs.properties.created_at', format: 'date_time' }, - { field: 'cef.extensions.agentReceiptTime', format: 'date_time' }, - { field: 'cef.extensions.deviceCustomDate1', format: 'date_time' }, - { field: 'cef.extensions.deviceCustomDate2', format: 'date_time' }, - { field: 'cef.extensions.deviceReceiptTime', format: 'date_time' }, - { field: 'cef.extensions.endTime', format: 'date_time' }, - { field: 'cef.extensions.fileCreateTime', format: 'date_time' }, - { field: 'cef.extensions.fileModificationTime', format: 'date_time' }, - { field: 'cef.extensions.flexDate1', format: 'date_time' }, - { field: 'cef.extensions.managerReceiptTime', format: 'date_time' }, - { field: 'cef.extensions.oldFileCreateTime', format: 'date_time' }, - { field: 'cef.extensions.oldFileModificationTime', format: 'date_time' }, - { field: 'cef.extensions.startTime', format: 'date_time' }, - { field: 'checkpoint.subs_exp', format: 'date_time' }, - { field: 'crowdstrike.event.EndTimestamp', format: 'date_time' }, - { field: 'crowdstrike.event.IncidentEndTime', format: 'date_time' }, - { field: 'crowdstrike.event.IncidentStartTime', format: 'date_time' }, - { field: 'crowdstrike.event.ProcessEndTime', format: 'date_time' }, - { field: 'crowdstrike.event.ProcessStartTime', format: 'date_time' }, - { field: 'crowdstrike.event.StartTimestamp', format: 'date_time' }, - { field: 'crowdstrike.event.Timestamp', format: 'date_time' }, - { field: 'crowdstrike.event.UTCTimestamp', format: 'date_time' }, - { field: 'crowdstrike.metadata.eventCreationTime', format: 'date_time' }, - { field: 'gsuite.admin.email.log_search_filter.end_date', format: 'date_time' }, - { field: 'gsuite.admin.email.log_search_filter.start_date', format: 'date_time' }, - { field: 'gsuite.admin.user.birthdate', format: 'date_time' }, - { field: 'kafka.block_timestamp', format: 'date_time' }, - { field: 'microsoft.defender_atp.lastUpdateTime', format: 'date_time' }, - { field: 'microsoft.defender_atp.resolvedTime', format: 'date_time' }, - { field: 'misp.campaign.first_seen', format: 'date_time' }, - { field: 'misp.campaign.last_seen', format: 'date_time' }, - { field: 'misp.intrusion_set.first_seen', format: 'date_time' }, - { field: 'misp.intrusion_set.last_seen', format: 'date_time' }, - { field: 'misp.observed_data.first_observed', format: 'date_time' }, - { field: 'misp.observed_data.last_observed', format: 'date_time' }, - { field: 'misp.report.published', format: 'date_time' }, - { field: 'misp.threat_indicator.valid_from', format: 'date_time' }, - { field: 'misp.threat_indicator.valid_until', format: 'date_time' }, - { field: 'netflow.collection_time_milliseconds', format: 'date_time' }, - { field: 'netflow.exporter.timestamp', format: 'date_time' }, - { field: 'netflow.flow_end_microseconds', format: 'date_time' }, - { field: 'netflow.flow_end_milliseconds', format: 'date_time' }, - { field: 'netflow.flow_end_nanoseconds', format: 'date_time' }, - { field: 'netflow.flow_end_seconds', format: 'date_time' }, - { field: 'netflow.flow_start_microseconds', format: 'date_time' }, - { field: 'netflow.flow_start_milliseconds', format: 'date_time' }, - { field: 'netflow.flow_start_nanoseconds', format: 'date_time' }, - { field: 'netflow.flow_start_seconds', format: 'date_time' }, - { field: 'netflow.max_export_seconds', format: 'date_time' }, - { field: 'netflow.max_flow_end_microseconds', format: 'date_time' }, - { field: 'netflow.max_flow_end_milliseconds', format: 'date_time' }, - { field: 'netflow.max_flow_end_nanoseconds', format: 'date_time' }, - { field: 'netflow.max_flow_end_seconds', format: 'date_time' }, - { field: 'netflow.min_export_seconds', format: 'date_time' }, - { field: 'netflow.min_flow_start_microseconds', format: 'date_time' }, - { field: 'netflow.min_flow_start_milliseconds', format: 'date_time' }, - { field: 'netflow.min_flow_start_nanoseconds', format: 'date_time' }, - { field: 'netflow.min_flow_start_seconds', format: 'date_time' }, - { field: 'netflow.monitoring_interval_end_milli_seconds', format: 'date_time' }, - { field: 'netflow.monitoring_interval_start_milli_seconds', format: 'date_time' }, - { field: 'netflow.observation_time_microseconds', format: 'date_time' }, - { field: 'netflow.observation_time_milliseconds', format: 'date_time' }, - { field: 'netflow.observation_time_nanoseconds', format: 'date_time' }, - { field: 'netflow.observation_time_seconds', format: 'date_time' }, - { field: 'netflow.system_init_time_milliseconds', format: 'date_time' }, - { field: 'rsa.internal.lc_ctime', format: 'date_time' }, - { field: 'rsa.internal.time', format: 'date_time' }, - { field: 'rsa.time.effective_time', format: 'date_time' }, - { field: 'rsa.time.endtime', format: 'date_time' }, - { field: 'rsa.time.event_queue_time', format: 'date_time' }, - { field: 'rsa.time.event_time', format: 'date_time' }, - { field: 'rsa.time.expire_time', format: 'date_time' }, - { field: 'rsa.time.recorded_time', format: 'date_time' }, - { field: 'rsa.time.stamp', format: 'date_time' }, - { field: 'rsa.time.starttime', format: 'date_time' }, - { field: 'sophos.xg.date', format: 'date_time' }, - { field: 'sophos.xg.eventtime', format: 'date_time' }, - { field: 'sophos.xg.start_time', format: 'date_time' }, - ], factoryQueryType: NetworkQueries.details, filterQuery: '{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}}', ip: '35.196.65.164', @@ -150,29 +48,27 @@ export const mockSearchStrategyResponse: IEsSearchResponse = { _index: 'auditbeat-7.8.0-2020.11.23-000004', _id: 'wRCuOnYB7WTwW_GluxL8', _score: undefined, - _source: { - host: { - hostname: 'internal-ci-immutable-rm-ubuntu-2004-big2-1607296224012102773', - os: { - kernel: '5.4.0-1030-gcp', - codename: 'focal', - name: 'Ubuntu', - family: 'debian', - version: '20.04.1 LTS (Focal Fossa)', - platform: 'ubuntu', - }, - containerized: false, - ip: [ - '10.224.0.219', - 'fe80::4001:aff:fee0:db', - '172.17.0.1', - 'fe80::42:3fff:fe35:46f8', - ], - name: 'internal-ci-immutable-rm-ubuntu-2004-big2-1607296224012102773', - id: 'a4b4839036f2d1161a21f12ea786a596', - mac: ['42:01:0a:e0:00:db', '02:42:3f:35:46:f8'], - architecture: 'x86_64', - }, + fields: { + 'host.hostname': [ + 'internal-ci-immutable-rm-ubuntu-2004-big2-1607296224012102773', + ], + 'host.os.kernel': ['5.4.0-1030-gcp'], + 'host.os.codename': ['focal'], + 'host.os.name': ['Ubuntu'], + 'host.os.family': ['debian'], + 'host.os.version': ['20.04.1 LTS (Focal Fossa)'], + 'host.os.platform': ['ubuntu'], + 'host.containerized': [false], + 'host.ip': [ + '10.224.0.219', + 'fe80::4001:aff:fee0:db', + '172.17.0.1', + 'fe80::42:3fff:fe35:46f8', + ], + 'host.name': ['internal-ci-immutable-rm-ubuntu-2004-big2-1607296224012102773'], + 'host.id': ['a4b4839036f2d1161a21f12ea786a596'], + 'host.mac': ['42:01:0a:e0:00:db', '02:42:3f:35:46:f8'], + 'host.architecture': ['x86_64'], }, sort: [1607302298617], }, @@ -195,16 +91,17 @@ export const mockSearchStrategyResponse: IEsSearchResponse = { _index: 'filebeat-8.0.0-2020.09.02-000001', _id: 'dd4fa2d4bd-1523631609876537', _score: undefined, - _source: { - destination: { - geo: { - continent_name: 'North America', - region_iso_code: 'US-VA', - country_iso_code: 'US', - region_name: 'Virginia', - location: { lon: -77.2481, lat: 38.6583 }, + fields: { + 'destination.geo.continent_name': ['North America'], + 'destination.geo.region_iso_code': ['US-VA'], + 'destination.geo.country_iso_code': ['US'], + 'destination.geo.region_name': ['Virginia'], + 'destination.geo.location': [ + { + coordinates: [-77.2481, 38.6583], + type: 'Point', }, - }, + ], }, sort: [1599703212208], }, @@ -224,8 +121,9 @@ export const mockSearchStrategyResponse: IEsSearchResponse = { _index: 'filebeat-8.0.0-2020.09.02-000001', _id: 'dd4fa2d4bd-1523631609876537', _score: undefined, - _source: { - destination: { as: { number: 15169, organization: { name: 'Google LLC' } } }, + fields: { + 'destination.as.number': [15169], + 'destination.as.organization.name': ['Google LLC'], }, sort: [1599703212208], }, @@ -251,16 +149,17 @@ export const mockSearchStrategyResponse: IEsSearchResponse = { _index: 'filebeat-8.0.0-2020.09.02-000001', _id: 'dd4fa2d4bd-1523631486500511', _score: undefined, - _source: { - source: { - geo: { - continent_name: 'North America', - region_iso_code: 'US-VA', - country_iso_code: 'US', - region_name: 'Virginia', - location: { lon: -77.2481, lat: 38.6583 }, + fields: { + 'source.geo.continent_name': ['North America'], + 'source.geo.region_iso_code': ['US-VA'], + 'source.geo.country_iso_code': ['US'], + 'source.geo.region_name': ['Virginia'], + 'source.geo.location': [ + { + coordinates: [-77.2481, 38.6583], + type: 'Point', }, - }, + ], }, sort: [1599703214494], }, @@ -280,8 +179,9 @@ export const mockSearchStrategyResponse: IEsSearchResponse = { _index: 'filebeat-8.0.0-2020.09.02-000001', _id: 'dd4fa2d4bd-1523631486500511', _score: undefined, - _source: { - source: { as: { number: 15169, organization: { name: 'Google LLC' } } }, + fields: { + 'source.as.number': [15169], + 'source.as.organization.name': ['Google LLC'], }, sort: [1599703214494], }, @@ -318,7 +218,6 @@ export const formattedSearchStrategyResponse = { ignore_unavailable: true, track_total_hits: false, body: { - docvalue_fields: mockOptions.docValueFields, aggs: { source: { filter: { term: { 'source.ip': '35.196.65.164' } }, @@ -331,7 +230,14 @@ export const formattedSearchStrategyResponse = { results: { top_hits: { size: 1, - _source: ['source.as'], + _source: false, + fields: [ + 'source.as*', + { + field: '@timestamp', + format: 'strict_date_optional_time', + }, + ], sort: [{ '@timestamp': 'desc' }], }, }, @@ -343,7 +249,14 @@ export const formattedSearchStrategyResponse = { results: { top_hits: { size: 1, - _source: ['source.geo'], + _source: false, + fields: [ + 'source.geo*', + { + field: '@timestamp', + format: 'strict_date_optional_time', + }, + ], sort: [{ '@timestamp': 'desc' }], }, }, @@ -362,7 +275,14 @@ export const formattedSearchStrategyResponse = { results: { top_hits: { size: 1, - _source: ['destination.as'], + _source: false, + fields: [ + 'destination.as*', + { + field: '@timestamp', + format: 'strict_date_optional_time', + }, + ], sort: [{ '@timestamp': 'desc' }], }, }, @@ -374,7 +294,14 @@ export const formattedSearchStrategyResponse = { results: { top_hits: { size: 1, - _source: ['destination.geo'], + _source: false, + fields: [ + 'destination.geo*', + { + field: '@timestamp', + format: 'strict_date_optional_time', + }, + ], sort: [{ '@timestamp': 'desc' }], }, }, @@ -386,13 +313,25 @@ export const formattedSearchStrategyResponse = { filter: { term: { 'host.ip': '35.196.65.164' } }, aggs: { results: { - top_hits: { size: 1, _source: ['host'], sort: [{ '@timestamp': 'desc' }] }, + top_hits: { + size: 1, + _source: false, + fields: [ + 'host*', + { + field: '@timestamp', + format: 'strict_date_optional_time', + }, + ], + sort: [{ '@timestamp': 'desc' }], + }, }, }, }, }, query: { bool: { should: [] } }, size: 0, + _source: false, }, }, null, @@ -404,30 +343,30 @@ export const formattedSearchStrategyResponse = { source: { firstSeen: '2020-08-30T15:40:15.107Z', lastSeen: '2020-09-10T02:00:14.494Z', - autonomousSystem: { number: 15169, organization: { name: 'Google LLC' } }, + autonomousSystem: { number: [15169], organization: { name: ['Google LLC'] } }, geo: { - continent_name: 'North America', - region_iso_code: 'US-VA', - country_iso_code: 'US', - region_name: 'Virginia', - location: { lon: -77.2481, lat: 38.6583 }, + continent_name: ['North America'], + region_iso_code: ['US-VA'], + country_iso_code: ['US'], + region_name: ['Virginia'], + location: { lon: [-77.2481], lat: [38.6583] }, }, }, destination: { firstSeen: '2020-08-30T15:40:15.355Z', lastSeen: '2020-09-10T02:00:12.208Z', - autonomousSystem: { number: 15169, organization: { name: 'Google LLC' } }, + autonomousSystem: { number: [15169], organization: { name: ['Google LLC'] } }, geo: { - continent_name: 'North America', - region_iso_code: 'US-VA', - country_iso_code: 'US', - region_name: 'Virginia', - location: { lon: -77.2481, lat: 38.6583 }, + continent_name: ['North America'], + region_iso_code: ['US-VA'], + country_iso_code: ['US'], + region_name: ['Virginia'], + location: { lon: [-77.2481], lat: [38.6583] }, }, }, host: { architecture: ['x86_64'], - containerized: ['false'], + containerized: [false], hostname: ['internal-ci-immutable-rm-ubuntu-2004-big2-1607296224012102773'], id: ['a4b4839036f2d1161a21f12ea786a596'], ip: ['10.224.0.219', 'fe80::4001:aff:fee0:db', '172.17.0.1', 'fe80::42:3fff:fe35:46f8'], @@ -470,7 +409,18 @@ export const expectedDsl = { filter: { exists: { field: 'source.as' } }, aggs: { results: { - top_hits: { size: 1, _source: ['source.as'], sort: [{ '@timestamp': 'desc' }] }, + top_hits: { + size: 1, + _source: false, + fields: [ + 'source.as*', + { + field: '@timestamp', + format: 'strict_date_optional_time', + }, + ], + sort: [{ '@timestamp': 'desc' }], + }, }, }, }, @@ -478,7 +428,18 @@ export const expectedDsl = { filter: { exists: { field: 'source.geo' } }, aggs: { results: { - top_hits: { size: 1, _source: ['source.geo'], sort: [{ '@timestamp': 'desc' }] }, + top_hits: { + size: 1, + _source: false, + fields: [ + 'source.geo*', + { + field: '@timestamp', + format: 'strict_date_optional_time', + }, + ], + sort: [{ '@timestamp': 'desc' }], + }, }, }, }, @@ -495,7 +456,14 @@ export const expectedDsl = { results: { top_hits: { size: 1, - _source: ['destination.as'], + _source: false, + fields: [ + 'destination.as*', + { + field: '@timestamp', + format: 'strict_date_optional_time', + }, + ], sort: [{ '@timestamp': 'desc' }], }, }, @@ -507,7 +475,14 @@ export const expectedDsl = { results: { top_hits: { size: 1, - _source: ['destination.geo'], + _source: false, + fields: [ + 'destination.geo*', + { + field: '@timestamp', + format: 'strict_date_optional_time', + }, + ], sort: [{ '@timestamp': 'desc' }], }, }, @@ -518,12 +493,25 @@ export const expectedDsl = { host: { filter: { term: { 'host.ip': '35.196.65.164' } }, aggs: { - results: { top_hits: { size: 1, _source: ['host'], sort: [{ '@timestamp': 'desc' }] } }, + results: { + top_hits: { + size: 1, + _source: false, + fields: [ + 'host*', + { + field: '@timestamp', + format: 'strict_date_optional_time', + }, + ], + sort: [{ '@timestamp': 'desc' }], + }, + }, }, }, }, - docvalue_fields: mockOptions.docValueFields, query: { bool: { should: [] } }, size: 0, + _source: false, }, }; diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/details/helpers.test.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/details/helpers.test.ts new file mode 100644 index 0000000000000..921fbcb7ac301 --- /dev/null +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/details/helpers.test.ts @@ -0,0 +1,27 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { mockSearchStrategyResponse, formattedSearchStrategyResponse } from './__mocks__'; +import { getNetworkDetailsAgg } from './helpers'; + +describe('getNetworkDetailsAgg', () => { + test('should return data correctly', async () => { + const sourceResult = getNetworkDetailsAgg( + 'source', + mockSearchStrategyResponse.rawResponse.aggregations!.source + ); + expect(sourceResult).toEqual({ source: formattedSearchStrategyResponse.networkDetails.source }); + + const destinationResult = getNetworkDetailsAgg( + 'destination', + mockSearchStrategyResponse.rawResponse.aggregations!.destination + ); + expect(destinationResult).toEqual({ + destination: formattedSearchStrategyResponse.networkDetails.destination, + }); + }); +}); diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/details/helpers.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/details/helpers.ts index cc1bfdff8e096..75938fadd8535 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/details/helpers.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/details/helpers.ts @@ -6,27 +6,32 @@ */ import { getOr } from 'lodash/fp'; +import { + unflattenObject, + transformLocationFields, +} from '../../../../helpers/format_response_object_values'; import { GeoEcs } from '../../../../../../common/ecs/geo'; -import { HostEcs } from '../../../../../../common/ecs/host'; import { AutonomousSystem, - NetworkDetailsHostHit, NetworkHit, } from '../../../../../../common/search_strategy/security_solution/network'; -import { toObjectArrayOfStrings } from '../../../../../../common/utils/to_array'; export const getNetworkDetailsAgg = (type: string, networkHit: NetworkHit | {}) => { const firstSeen = getOr(null, `firstSeen.value_as_string`, networkHit); const lastSeen = getOr(null, `lastSeen.value_as_string`, networkHit); - const autonomousSystem: AutonomousSystem | null = getOr( - null, - `as.results.hits.hits[0]._source.${type}.as`, - networkHit + + const autonomousSystem: AutonomousSystem | {} = getOr( + {}, + `${type}.as`, + unflattenObject(getOr({}, 'as.results.hits.hits[0].fields', networkHit)) ); - const geoFields: GeoEcs | null = getOr( - null, - `geo.results.hits.hits[0]._source.${type}.geo`, - networkHit + + const geoFields: GeoEcs | {} = getOr( + {}, + `${type}.geo`, + unflattenObject( + transformLocationFields(getOr({}, 'geo.results.hits.hits[0].fields', networkHit)) + ) ); return { @@ -42,29 +47,3 @@ export const getNetworkDetailsAgg = (type: string, networkHit: NetworkHit | {}) }, }; }; - -const formatHostEcs = (data: Record | null): HostEcs | null => { - if (data == null) { - return null; - } - return Object.entries(data).reduce((acc, [key, value]) => { - if (typeof value === 'object' && value != null && !Array.isArray(value)) { - return { ...acc, [key]: formatHostEcs(value as Record) }; - } - return { - ...acc, - [key]: toObjectArrayOfStrings(value).map(({ str }) => str), - }; - }, {}); -}; - -export const getNetworkDetailsHostAgg = (hostDetailsHit: NetworkDetailsHostHit | {}) => { - const hostFields: HostEcs | null = formatHostEcs( - getOr(null, `results.hits.hits[0]._source.host`, hostDetailsHit) - ); - return { - host: { - ...hostFields, - }, - }; -}; diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/details/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/details/index.ts index 22f207ef3ac17..9296b14647b94 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/details/index.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/details/index.ts @@ -18,8 +18,9 @@ import { import { inspectStringifyObject } from '../../../../../utils/build_query'; import { SecuritySolutionFactory } from '../../types'; -import { getNetworkDetailsAgg, getNetworkDetailsHostAgg } from './helpers'; +import { getNetworkDetailsAgg } from './helpers'; import { buildNetworkDetailsQuery } from './query.details_network.dsl'; +import { unflattenObject } from '../../../../helpers/format_response_object_values'; export const networkDetails: SecuritySolutionFactory = { buildDsl: (options: NetworkDetailsRequestOptions) => buildNetworkDetailsQuery(options), @@ -31,16 +32,22 @@ export const networkDetails: SecuritySolutionFactory = { dsl: [inspectStringifyObject(buildNetworkDetailsQuery(options))], }; + const hostDetailsHit = getOr({}, 'aggregations.host', response.rawResponse); + const hostFields = unflattenObject( + getOr({}, `results.hits.hits[0].fields`, { ...hostDetailsHit }) + ); + return { ...response, inspect, networkDetails: { - ...getNetworkDetailsAgg('source', getOr({}, 'aggregations.source', response.rawResponse)), - ...getNetworkDetailsAgg( - 'destination', - getOr({}, 'aggregations.destination', response.rawResponse) - ), - ...getNetworkDetailsHostAgg(getOr({}, 'aggregations.host', response.rawResponse)), + ...hostFields, + ...getNetworkDetailsAgg('source', { + ...getOr({}, 'aggregations.source', response.rawResponse), + }), + ...getNetworkDetailsAgg('destination', { + ...getOr({}, 'aggregations.destination', response.rawResponse), + }), }, }; }, diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/details/query.details_network.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/details/query.details_network.dsl.ts index 5684c7685231e..1e153859b9bc5 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/details/query.details_network.dsl.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/details/query.details_network.dsl.ts @@ -5,7 +5,6 @@ * 2.0. */ -import { isEmpty } from 'lodash/fp'; import { NetworkDetailsRequestOptions } from '../../../../../../common/search_strategy/security_solution/network'; const getAggs = (type: string, ip: string) => { @@ -37,7 +36,14 @@ const getAggs = (type: string, ip: string) => { results: { top_hits: { size: 1, - _source: [`${type}.as`], + _source: false, + fields: [ + `${type}.as*`, + { + field: '@timestamp', + format: 'strict_date_optional_time', + }, + ], sort: [ { '@timestamp': 'desc' as const, @@ -57,7 +63,14 @@ const getAggs = (type: string, ip: string) => { results: { top_hits: { size: 1, - _source: [`${type}.geo`], + _source: false, + fields: [ + `${type}.geo*`, + { + field: '@timestamp', + format: 'strict_date_optional_time', + }, + ], sort: [ { '@timestamp': 'desc' as const, @@ -84,7 +97,14 @@ const getHostAggs = (ip: string) => { results: { top_hits: { size: 1, - _source: ['host'], + _source: false, + fields: [ + 'host*', + { + field: '@timestamp', + format: 'strict_date_optional_time', + }, + ], sort: [ { '@timestamp': 'desc' as const, @@ -97,18 +117,13 @@ const getHostAggs = (ip: string) => { }; }; -export const buildNetworkDetailsQuery = ({ - defaultIndex, - docValueFields, - ip, -}: NetworkDetailsRequestOptions) => { +export const buildNetworkDetailsQuery = ({ defaultIndex, ip }: NetworkDetailsRequestOptions) => { const dslQuery = { allow_no_indices: true, index: defaultIndex, ignore_unavailable: true, track_total_hits: false, body: { - ...(!isEmpty(docValueFields) ? { docvalue_fields: docValueFields } : {}), aggs: { ...getAggs('source', ip), ...getAggs('destination', ip), @@ -120,6 +135,7 @@ export const buildNetworkDetailsQuery = ({ }, }, size: 0, + _source: false, }, }; diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/__mocks__/index.ts index 4eff4cb2efe61..06c31afb85195 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/__mocks__/index.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/__mocks__/index.ts @@ -189,6 +189,14 @@ export const formattedSearchStrategyResponse = { must_not: [{ term: { 'dns.question.type': { value: 'PTR' } } }], }, }, + _source: false, + fields: [ + 'dns.question.registered_domain', + { + field: '@timestamp', + format: 'strict_date_optional_time', + }, + ], }, size: 0, track_total_hits: false, @@ -261,6 +269,14 @@ export const expectedDsl = { must_not: [{ term: { 'dns.question.type': { value: 'PTR' } } }], }, }, + _source: false, + fields: [ + 'dns.question.registered_domain', + { + field: '@timestamp', + format: 'strict_date_optional_time', + }, + ], }, size: 0, track_total_hits: false, diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/query.dns_network.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/query.dns_network.dsl.ts index 612d83e81660d..37c6146721225 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/query.dns_network.dsl.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/query.dns_network.dsl.ts @@ -5,8 +5,6 @@ * 2.0. */ -import { isEmpty } from 'lodash/fp'; - import { assertUnreachable } from '../../../../../../common/utility_types'; import { Direction, @@ -66,7 +64,6 @@ const createIncludePTRFilter = (isPtrIncluded: boolean) => export const buildDnsQuery = ({ defaultIndex, - docValueFields, filterQuery, isPtrIncluded, sort, @@ -92,7 +89,6 @@ export const buildDnsQuery = ({ index: defaultIndex, ignore_unavailable: true, body: { - ...(!isEmpty(docValueFields) ? { docvalue_fields: docValueFields } : {}), aggregations: { ...getCountAgg(), dns_name_query_count: { @@ -132,6 +128,14 @@ export const buildDnsQuery = ({ ...createIncludePTRFilter(isPtrIncluded), }, }, + _source: false, + fields: [ + 'dns.question.registered_domain', + { + field: '@timestamp', + format: 'strict_date_optional_time', + }, + ], }, size: 0, track_total_hits: false, diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/http/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/http/__mocks__/index.ts index 6c4648728efac..e64321d3d00cb 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/http/__mocks__/index.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/http/__mocks__/index.ts @@ -72,9 +72,9 @@ export const mockSearchStrategyResponse: IEsSearchResponse = { _index: 'filebeat-8.0.0-2020.09.02-000001', _id: 'L4wXh3QBc39KFIJbgXrN', _score: 0, - _source: { - host: { name: 'bastion00.siem.estc.dev' }, - source: { ip: '67.173.227.94' }, + fields: { + 'host.name': ['bastion00.siem.estc.dev'], + 'source.ip': ['67.173.227.94'], }, }, ], @@ -114,9 +114,9 @@ export const mockSearchStrategyResponse: IEsSearchResponse = { _index: 'filebeat-8.0.0-2020.09.02-000001', _id: 'tEIXh3QBB-gskclyiT2g', _score: 0, - _source: { - host: { name: 'bastion00.siem.estc.dev' }, - source: { ip: '35.227.65.114' }, + fields: { + 'host.name': ['bastion00.siem.estc.dev'], + 'source.ip': ['35.227.65.114'], }, }, ], @@ -156,9 +156,9 @@ export const mockSearchStrategyResponse: IEsSearchResponse = { _index: 'filebeat-8.0.0-2020.09.02-000001', _id: 'MYwXh3QBc39KFIJbgXrN', _score: 0, - _source: { - host: { name: 'bastion00.siem.estc.dev' }, - source: { ip: '67.173.227.94' }, + fields: { + 'host.name': ['bastion00.siem.estc.dev'], + 'source.ip': ['67.173.227.94'], }, }, ], @@ -192,9 +192,9 @@ export const mockSearchStrategyResponse: IEsSearchResponse = { _index: 'filebeat-8.0.0-2020.09.02-000001', _id: 'MIwXh3QBc39KFIJbgXrN', _score: 0, - _source: { - host: { name: 'bastion00.siem.estc.dev' }, - source: { ip: '24.168.52.229' }, + fields: { + 'host.name': ['bastion00.siem.estc.dev'], + 'source.ip': ['24.168.52.229'], }, }, ], @@ -228,9 +228,9 @@ export const mockSearchStrategyResponse: IEsSearchResponse = { _index: 'filebeat-8.0.0-2020.09.02-000001', _id: 'MowXh3QBc39KFIJbgXrN', _score: 0, - _source: { - host: { name: 'bastion00.siem.estc.dev' }, - source: { ip: '67.173.227.94' }, + fields: { + 'host.name': ['bastion00.siem.estc.dev'], + 'source.ip': ['67.173.227.94'], }, }, ], @@ -267,9 +267,9 @@ export const mockSearchStrategyResponse: IEsSearchResponse = { _index: 'filebeat-8.0.0-2020.09.02-000001', _id: '6Ywch3QBc39KFIJbVY_k', _score: 0, - _source: { - host: { name: 'bastion00.siem.estc.dev' }, - source: { ip: '67.173.227.94' }, + fields: { + 'host.name': ['bastion00.siem.estc.dev'], + 'source.ip': ['67.173.227.94'], }, }, ], @@ -306,9 +306,9 @@ export const mockSearchStrategyResponse: IEsSearchResponse = { _index: 'filebeat-8.0.0-2020.09.02-000001', _id: 'rkIXh3QBB-gskclyiT2g', _score: 0, - _source: { - host: { name: 'bastion00.siem.estc.dev' }, - source: { ip: '35.226.77.71' }, + fields: { + 'host.name': ['bastion00.siem.estc.dev'], + 'source.ip': ['35.226.77.71'], }, }, ], @@ -354,9 +354,9 @@ export const mockSearchStrategyResponse: IEsSearchResponse = { _index: 'filebeat-8.0.0-2020.09.02-000001', _id: 'JEIYh3QBB-gskclyYEfA', _score: 0, - _source: { - host: { name: 'bastion00.siem.estc.dev' }, - source: { ip: '35.171.72.245' }, + fields: { + 'host.name': ['bastion00.siem.estc.dev'], + 'source.ip': ['35.171.72.245'], }, }, ], @@ -398,9 +398,9 @@ export const mockSearchStrategyResponse: IEsSearchResponse = { _index: 'filebeat-8.0.0-2020.09.02-000001', _id: 'sUIXh3QBB-gskclyiT2g', _score: 0, - _source: { - host: { name: 'bastion00.siem.estc.dev' }, - source: { ip: '24.168.52.229' }, + fields: { + 'host.name': ['bastion00.siem.estc.dev'], + 'source.ip': ['24.168.52.229'], }, }, ], @@ -434,9 +434,9 @@ export const mockSearchStrategyResponse: IEsSearchResponse = { _index: 'filebeat-8.0.0-2020.09.02-000001', _id: 's0IXh3QBB-gskclyiT2g', _score: 0, - _source: { - host: { name: 'bastion00.siem.estc.dev' }, - source: { ip: '75.134.244.183' }, + fields: { + 'host.name': ['bastion00.siem.estc.dev'], + 'source.ip': ['75.134.244.183'], }, }, ], @@ -465,8 +465,8 @@ export const formattedSearchStrategyResponse = { domains: ['es.siem.estc.dev:9200', 'es.siem.estc.dev'], methods: ['GET'], statuses: ['200', '401'], - lastHost: 'bastion00.siem.estc.dev', - lastSourceIp: '67.173.227.94', + lastHost: ['bastion00.siem.estc.dev'], + lastSourceIp: ['67.173.227.94'], path: '/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip', requestCount: 106704, }, @@ -481,8 +481,8 @@ export const formattedSearchStrategyResponse = { domains: ['es.siem.estc.dev:9200', 'es.siem.estc.dev'], methods: ['POST'], statuses: ['200', '401'], - lastHost: 'bastion00.siem.estc.dev', - lastSourceIp: '35.227.65.114', + lastHost: ['bastion00.siem.estc.dev'], + lastSourceIp: ['35.227.65.114'], path: '/_bulk', requestCount: 76744, }, @@ -494,8 +494,8 @@ export const formattedSearchStrategyResponse = { domains: ['es.siem.estc.dev:9200', 'es.siem.estc.dev'], methods: ['POST'], statuses: ['200'], - lastHost: 'bastion00.siem.estc.dev', - lastSourceIp: '67.173.227.94', + lastHost: ['bastion00.siem.estc.dev'], + lastSourceIp: ['67.173.227.94'], path: '/.reporting-*/_search', requestCount: 58746, }, @@ -507,8 +507,8 @@ export const formattedSearchStrategyResponse = { domains: ['es.siem.estc.dev:9200'], methods: ['POST'], statuses: ['200'], - lastHost: 'bastion00.siem.estc.dev', - lastSourceIp: '24.168.52.229', + lastHost: ['bastion00.siem.estc.dev'], + lastSourceIp: ['24.168.52.229'], path: '/.kibana-task-manager-xavier-m/_update_by_query?ignore_unavailable=true&refresh=true&max_docs=10&conflicts=proceed', requestCount: 28715, }, @@ -524,8 +524,8 @@ export const formattedSearchStrategyResponse = { domains: ['es.siem.estc.dev:9200'], methods: ['POST'], statuses: ['200'], - lastHost: 'bastion00.siem.estc.dev', - lastSourceIp: '67.173.227.94', + lastHost: ['bastion00.siem.estc.dev'], + lastSourceIp: ['67.173.227.94'], path: '/.kibana-task-manager-andrewg-local-testing-7-9-ff/_update_by_query?ignore_unavailable=true&refresh=true&max_docs=10&conflicts=proceed', requestCount: 28161, }, @@ -541,8 +541,8 @@ export const formattedSearchStrategyResponse = { domains: ['es.siem.estc.dev:9200', 'es.siem.estc.dev'], methods: ['POST'], statuses: ['200'], - lastHost: 'bastion00.siem.estc.dev', - lastSourceIp: '67.173.227.94', + lastHost: ['bastion00.siem.estc.dev'], + lastSourceIp: ['67.173.227.94'], path: '/_security/user/_has_privileges', requestCount: 23283, }, @@ -554,8 +554,8 @@ export const formattedSearchStrategyResponse = { domains: ['es.siem.estc.dev:9200', 'es.siem.estc.dev'], methods: ['GET'], statuses: ['200', '401'], - lastHost: 'bastion00.siem.estc.dev', - lastSourceIp: '35.226.77.71', + lastHost: ['bastion00.siem.estc.dev'], + lastSourceIp: ['35.226.77.71'], path: '/_xpack', requestCount: 20724, }, @@ -572,8 +572,8 @@ export const formattedSearchStrategyResponse = { ], methods: ['GET', 'HEAD', 'POST'], statuses: ['401', '404', '302', '200'], - lastHost: 'bastion00.siem.estc.dev', - lastSourceIp: '35.171.72.245', + lastHost: ['bastion00.siem.estc.dev'], + lastSourceIp: ['35.171.72.245'], path: '/', requestCount: 18306, }, @@ -585,8 +585,8 @@ export const formattedSearchStrategyResponse = { domains: ['es.siem.estc.dev:9200', 'es.siem.estc.dev'], methods: ['POST'], statuses: ['200'], - lastHost: 'bastion00.siem.estc.dev', - lastSourceIp: '24.168.52.229', + lastHost: ['bastion00.siem.estc.dev'], + lastSourceIp: ['24.168.52.229'], path: '/_monitoring/bulk?system_id=kibana&system_api_version=7&interval=10000ms', requestCount: 18048, }, @@ -601,8 +601,8 @@ export const formattedSearchStrategyResponse = { domains: ['kibana.siem.estc.dev'], methods: ['GET'], statuses: ['200'], - lastHost: 'bastion00.siem.estc.dev', - lastSourceIp: '75.134.244.183', + lastHost: ['bastion00.siem.estc.dev'], + lastSourceIp: ['75.134.244.183'], path: '/s/row-renderer-checking/api/reporting/jobs/count', requestCount: 14046, }, @@ -635,7 +635,7 @@ export const formattedSearchStrategyResponse = { domains: { terms: { field: 'url.domain', size: 4 } }, status: { terms: { field: 'http.response.status_code', size: 4 } }, source: { - top_hits: { size: 1, _source: { includes: ['host.name', 'source.ip'] } }, + top_hits: { size: 1, _source: false }, }, }, }, @@ -657,6 +657,19 @@ export const formattedSearchStrategyResponse = { ], }, }, + _source: false, + fields: [ + 'host.name', + 'source.ip', + 'url.path', + 'http.request.method', + 'url.domain', + 'http.response.status_code', + { + field: '@timestamp', + format: 'strict_date_optional_time', + }, + ], }, size: 0, track_total_hits: false, @@ -692,7 +705,7 @@ export const expectedDsl = { methods: { terms: { field: 'http.request.method', size: 4 } }, domains: { terms: { field: 'url.domain', size: 4 } }, status: { terms: { field: 'http.response.status_code', size: 4 } }, - source: { top_hits: { size: 1, _source: { includes: ['host.name', 'source.ip'] } } }, + source: { top_hits: { size: 1, _source: false } }, }, }, }, @@ -713,6 +726,19 @@ export const expectedDsl = { ], }, }, + _source: false, + fields: [ + 'host.name', + 'source.ip', + 'url.path', + 'http.request.method', + 'url.domain', + 'http.response.status_code', + { + field: '@timestamp', + format: 'strict_date_optional_time', + }, + ], }, size: 0, track_total_hits: false, diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/http/helpers.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/http/helpers.ts index 377786b05198d..208ea0b36d4e2 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/http/helpers.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/http/helpers.ts @@ -23,8 +23,8 @@ const formatHttpEdges = (buckets: NetworkHttpBuckets[]): NetworkHttpEdges[] => domains: bucket.domains.buckets.map(({ key }) => key), methods: bucket.methods.buckets.map(({ key }) => key), statuses: bucket.status.buckets.map(({ key }) => `${key}`), - lastHost: get('source.hits.hits[0]._source.host.name', bucket), - lastSourceIp: get('source.hits.hits[0]._source.source.ip', bucket), + lastHost: get('source.hits.hits[0].fields["host.name"]', bucket), + lastSourceIp: get('source.hits.hits[0].fields["source.ip"]', bucket), path: bucket.key, requestCount: bucket.doc_count, }, diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/http/query.http_network.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/http/query.http_network.dsl.ts index 8882d17804261..36f20752befed 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/http/query.http_network.dsl.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/http/query.http_network.dsl.ts @@ -66,6 +66,19 @@ export const buildHttpQuery = ({ filter, }, }, + _source: false, + fields: [ + 'host.name', + 'source.ip', + 'url.path', + 'http.request.method', + 'url.domain', + 'http.response.status_code', + { + field: '@timestamp', + format: 'strict_date_optional_time', + }, + ], }, size: 0, track_total_hits: false, @@ -77,7 +90,7 @@ export const buildHttpQuery = ({ const getHttpAggs = (sortField: SortField, querySize: number) => ({ url: { terms: { - field: `url.path`, + field: 'url.path', size: querySize, order: { _count: sortField.direction, @@ -105,9 +118,7 @@ const getHttpAggs = (sortField: SortField, querySize: number) => ({ source: { top_hits: { size: 1, - _source: { - includes: ['host.name', 'source.ip'], - }, + _source: false, }, }, }, diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_n_flow/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_n_flow/__mocks__/index.ts index 31a6556a26b29..dc550bfe6c260 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_n_flow/__mocks__/index.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_n_flow/__mocks__/index.ts @@ -95,8 +95,9 @@ export const mockSearchStrategyResponse: IEsSearchResponse = { _index: 'filebeat-8.0.0-2020.09.02-000001', _id: 'dd4fa2d4bd-1526378075029582', _score: 0, - _source: { - source: { as: { number: 15169, organization: { name: 'Google LLC' } } }, + fields: { + 'source.as.number': [15169], + 'source.as.organization.name': ['Google LLC'], }, }, ], @@ -114,16 +115,17 @@ export const mockSearchStrategyResponse: IEsSearchResponse = { _index: 'filebeat-8.0.0-2020.09.02-000001', _id: 'dd4fa2d4bd-1526378075029582', _score: 0, - _source: { - source: { - geo: { - continent_name: 'North America', - region_iso_code: 'US-VA', - country_iso_code: 'US', - region_name: 'Virginia', - location: { lon: -77.2481, lat: 38.6583 }, + fields: { + 'source.geo.continent_name': ['North America'], + 'source.geo.region_iso_code': ['US-VA'], + 'source.geo.country_iso_code': ['US'], + 'source.geo.region_name': ['Virginia'], + 'source.geo.location': [ + { + coordinates: [-77.2481, 38.6583], + type: 'Point', }, - }, + ], }, }, ], @@ -150,8 +152,9 @@ export const mockSearchStrategyResponse: IEsSearchResponse = { _index: 'filebeat-8.0.0-2020.09.02-000001', _id: 'dd4fa2d4bd-1527252060367158', _score: 0, - _source: { - source: { as: { number: 54113, organization: { name: 'Fastly' } } }, + fields: { + 'source.as.number': [54113], + 'source.as.organization.name': ['Fastly'], }, }, ], @@ -169,17 +172,18 @@ export const mockSearchStrategyResponse: IEsSearchResponse = { _index: 'filebeat-8.0.0-2020.09.02-000001', _id: 'dd4fa2d4bd-1527252060367158', _score: 0, - _source: { - source: { - geo: { - continent_name: 'North America', - region_iso_code: 'US-VA', - city_name: 'Ashburn', - country_iso_code: 'US', - region_name: 'Virginia', - location: { lon: -77.4728, lat: 39.0481 }, + fields: { + 'source.geo.continent_name': ['North America'], + 'source.geo.region_iso_code': ['US-VA'], + 'source.geo.city_name': ['Ashburn'], + 'source.geo.country_iso_code': ['US'], + 'source.geo.region_name': ['Virginia'], + 'source.geo.location': [ + { + coordinates: [-77.4728, 39.0481], + type: 'Point', }, - }, + ], }, }, ], @@ -206,10 +210,9 @@ export const mockSearchStrategyResponse: IEsSearchResponse = { _index: 'filebeat-8.0.0-2020.09.02-000001', _id: 'dd4fa2d4bd-1526971840437636', _score: 0, - _source: { - source: { - as: { number: 41231, organization: { name: 'Canonical Group Limited' } }, - }, + fields: { + 'source.as.number': [41231], + 'source.as.organization.name': ['Canonical Group Limited'], }, }, ], @@ -227,17 +230,18 @@ export const mockSearchStrategyResponse: IEsSearchResponse = { _index: 'filebeat-8.0.0-2020.09.02-000001', _id: 'dd4fa2d4bd-1526971840437636', _score: 0, - _source: { - source: { - geo: { - continent_name: 'Europe', - region_iso_code: 'GB-ENG', - city_name: 'London', - country_iso_code: 'GB', - region_name: 'England', - location: { lon: -0.0961, lat: 51.5132 }, + fields: { + 'source.geo.continent_name': ['Europe'], + 'source.geo.region_iso_code': ['GB-ENG'], + 'source.geo.city_name': ['London'], + 'source.geo.country_iso_code': ['GB'], + 'source.geo.region_name': ['England'], + 'source.geo.location': [ + { + coordinates: [-0.0961, 51.5132], + type: 'Point', }, - }, + ], }, }, ], @@ -291,8 +295,9 @@ export const mockSearchStrategyResponse: IEsSearchResponse = { _index: 'filebeat-8.0.0-2020.09.02-000001', _id: 'dd4fa2d4bd-1527003062069535', _score: 0, - _source: { - source: { as: { number: 54113, organization: { name: 'Fastly' } } }, + fields: { + 'source.as.number': [54113], + 'source.as.organization.name': ['Fastly'], }, }, ], @@ -310,17 +315,18 @@ export const mockSearchStrategyResponse: IEsSearchResponse = { _index: 'filebeat-8.0.0-2020.09.02-000001', _id: 'dd4fa2d4bd-1527003062069535', _score: 0, - _source: { - source: { - geo: { - continent_name: 'North America', - region_iso_code: 'US-VA', - city_name: 'Ashburn', - country_iso_code: 'US', - region_name: 'Virginia', - location: { lon: -77.539, lat: 39.018 }, + fields: { + 'source.geo.continent_name': ['North America'], + 'source.geo.region_iso_code': ['US-VA'], + 'source.geo.city_name': ['Ashburn'], + 'source.geo.country_iso_code': ['US'], + 'source.geo.region_name': ['Virginia'], + 'source.geo.location': [ + { + coordinates: [-77.539, 39.018], + type: 'Point', }, - }, + ], }, }, ], @@ -347,8 +353,9 @@ export const mockSearchStrategyResponse: IEsSearchResponse = { _index: 'filebeat-8.0.0-2020.09.02-000001', _id: 'dd4fa2d4bd-1526557113311472', _score: 0, - _source: { - source: { as: { number: 15169, organization: { name: 'Google LLC' } } }, + fields: { + 'source.as.number': [15169], + 'source.as.organization.name': ['Google LLC'], }, }, ], @@ -366,16 +373,17 @@ export const mockSearchStrategyResponse: IEsSearchResponse = { _index: 'filebeat-8.0.0-2020.09.02-000001', _id: 'dd4fa2d4bd-1526557113311472', _score: 0, - _source: { - source: { - geo: { - continent_name: 'North America', - region_iso_code: 'US-VA', - country_iso_code: 'US', - region_name: 'Virginia', - location: { lon: -77.2481, lat: 38.6583 }, + fields: { + 'source.geo.continent_name': ['North America'], + 'source.geo.region_iso_code': ['US-VA'], + 'source.geo.country_iso_code': ['US'], + 'source.geo.region_name': ['Virginia'], + 'source.geo.location': [ + { + coordinates: [-77.2481, 38.6583], + type: 'Point', }, - }, + ], }, }, ], @@ -402,8 +410,9 @@ export const mockSearchStrategyResponse: IEsSearchResponse = { _index: 'filebeat-8.0.0-2020.09.02-000001', _id: 'dd4fa2d4bd-1526379128390241', _score: 0, - _source: { - source: { as: { number: 54113, organization: { name: 'Fastly' } } }, + fields: { + 'source.as.number': [54113], + 'source.as.organization.name': ['Fastly'], }, }, ], @@ -421,14 +430,15 @@ export const mockSearchStrategyResponse: IEsSearchResponse = { _index: 'filebeat-8.0.0-2020.09.02-000001', _id: 'dd4fa2d4bd-1526379128390241', _score: 0, - _source: { - source: { - geo: { - continent_name: 'North America', - country_iso_code: 'US', - location: { lon: -97.822, lat: 37.751 }, + fields: { + 'source.geo.continent_name': ['North America'], + 'source.geo.country_iso_code': ['US'], + 'source.geo.location': [ + { + coordinates: [-97.822, 37.751], + type: 'Point', }, - }, + ], }, }, ], @@ -455,10 +465,9 @@ export const mockSearchStrategyResponse: IEsSearchResponse = { _index: 'filebeat-8.0.0-2020.09.02-000001', _id: 'dd4fa2d4bd-1526555996515551', _score: 0, - _source: { - source: { - as: { number: 41231, organization: { name: 'Canonical Group Limited' } }, - }, + fields: { + 'source.as.number': [41231], + 'source.as.organization.name': ['Canonical Group Limited'], }, }, ], @@ -476,17 +485,18 @@ export const mockSearchStrategyResponse: IEsSearchResponse = { _index: 'filebeat-8.0.0-2020.09.02-000001', _id: 'dd4fa2d4bd-1526555996515551', _score: 0, - _source: { - source: { - geo: { - continent_name: 'North America', - region_iso_code: 'US-MA', - city_name: 'Boston', - country_iso_code: 'US', - region_name: 'Massachusetts', - location: { lon: -71.0631, lat: 42.3562 }, + fields: { + 'source.geo.continent_name': ['North America'], + 'source.geo.region_iso_code': ['US-MA'], + 'source.geo.city_name': ['Boston'], + 'source.geo.country_iso_code': ['US'], + 'source.geo.region_name': ['Massachusetts'], + 'source.geo.location': [ + { + coordinates: [-71.0631, 42.3562], + type: 'Point', }, - }, + ], }, }, ], @@ -513,8 +523,9 @@ export const mockSearchStrategyResponse: IEsSearchResponse = { _index: 'filebeat-8.0.0-2020.09.02-000001', _id: 'dd4fa2d4bd-1526584379144248', _score: 0, - _source: { - source: { as: { number: 133766, organization: { name: 'YHSRV.LLC' } } }, + fields: { + 'source.as.number': [133766], + 'source.as.organization.name': ['YHSRV.LLC'], }, }, ], @@ -532,14 +543,15 @@ export const mockSearchStrategyResponse: IEsSearchResponse = { _index: 'filebeat-8.0.0-2020.09.02-000001', _id: 'dd4fa2d4bd-1526584379144248', _score: 0, - _source: { - source: { - geo: { - continent_name: 'North America', - country_iso_code: 'US', - location: { lon: -97.822, lat: 37.751 }, + fields: { + 'source.geo.continent_name': ['North America'], + 'source.geo.country_iso_code': ['US'], + 'source.geo.location': [ + { + coordinates: [-97.822, 37.751], + type: 'Point', }, - }, + ], }, }, ], @@ -836,11 +848,39 @@ export const formattedSearchStrategyResponse: NetworkTopNFlowStrategyResponse = }, location: { filter: { exists: { field: 'source.geo' } }, - aggs: { top_geo: { top_hits: { _source: 'source.geo.*', size: 1 } } }, + aggs: { + top_geo: { + top_hits: { + _source: false, + fields: [ + 'source.geo.*', + { + field: '@timestamp', + format: 'strict_date_optional_time', + }, + ], + size: 1, + }, + }, + }, }, autonomous_system: { filter: { exists: { field: 'source.as' } }, - aggs: { top_as: { top_hits: { _source: 'source.as.*', size: 1 } } }, + aggs: { + top_as: { + top_hits: { + _source: false, + fields: [ + 'source.as.*', + { + field: '@timestamp', + format: 'strict_date_optional_time', + }, + ], + size: 1, + }, + }, + }, }, flows: { cardinality: { field: 'network.community_id' } }, destination_ips: { cardinality: { field: 'destination.ip' } }, @@ -863,6 +903,13 @@ export const formattedSearchStrategyResponse: NetworkTopNFlowStrategyResponse = ], }, }, + _source: false, + fields: [ + { + field: '@timestamp', + format: 'strict_date_optional_time', + }, + ], }, size: 0, track_total_hits: false, @@ -904,11 +951,39 @@ export const expectedDsl = { }, location: { filter: { exists: { field: 'source.geo' } }, - aggs: { top_geo: { top_hits: { _source: 'source.geo.*', size: 1 } } }, + aggs: { + top_geo: { + top_hits: { + _source: false, + fields: [ + 'source.geo.*', + { + field: '@timestamp', + format: 'strict_date_optional_time', + }, + ], + size: 1, + }, + }, + }, }, autonomous_system: { filter: { exists: { field: 'source.as' } }, - aggs: { top_as: { top_hits: { _source: 'source.as.*', size: 1 } } }, + aggs: { + top_as: { + top_hits: { + _source: false, + fields: [ + 'source.as.*', + { + field: '@timestamp', + format: 'strict_date_optional_time', + }, + ], + size: 1, + }, + }, + }, }, flows: { cardinality: { field: 'network.community_id' } }, destination_ips: { cardinality: { field: 'destination.ip' } }, @@ -931,6 +1006,13 @@ export const expectedDsl = { ], }, }, + _source: false, + fields: [ + { + field: '@timestamp', + format: 'strict_date_optional_time', + }, + ], }, size: 0, track_total_hits: false, diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_n_flow/helpers.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_n_flow/helpers.ts index 20a4696b0ba99..bd7d8d9bd0b58 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_n_flow/helpers.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_n_flow/helpers.ts @@ -21,7 +21,11 @@ import { AutonomousSystemItem, } from '../../../../../../common/search_strategy'; import { getOppositeField } from '../helpers'; -import { formatResponseObjectValues } from '../../../../helpers/format_response_object_values'; +import { + formatResponseObjectValues, + transformLocationFields, + unflattenObject, +} from '../../../../helpers/format_response_object_values'; export const getTopNFlowEdges = ( response: IEsSearchResponse, @@ -66,39 +70,39 @@ const getFlowTargetFromString = (flowAsString: string) => flowAsString === 'source' ? FlowTargetSourceDest.source : FlowTargetSourceDest.destination; const getGeoItem = (result: NetworkTopNFlowBuckets): GeoItem | null => - result.location.top_geo.hits.hits.length > 0 && result.location.top_geo.hits.hits[0]._source + result.location.top_geo.hits.hits.length > 0 && result.location.top_geo.hits.hits[0].fields ? { geo: formatResponseObjectValues( getOr( '', - `location.top_geo.hits.hits[0]._source.${ - Object.keys(result.location.top_geo.hits.hits[0]._source)[0] - }.geo`, - result + `${Object.keys(result.location.top_geo.hits.hits[0].fields)[0].split('.geo')[0]}.geo`, + unflattenObject( + transformLocationFields(getOr({}, `location.top_geo.hits.hits[0].fields`, result)) + ) ) ), flowTarget: getFlowTargetFromString( - Object.keys(result.location.top_geo.hits.hits[0]._source)[0] + Object.keys(result.location.top_geo.hits.hits[0].fields)[0].split('.geo')[0] ), } : null; const getAsItem = (result: NetworkTopNFlowBuckets): AutonomousSystemItem | null => result.autonomous_system.top_as.hits.hits.length > 0 && - result.autonomous_system.top_as.hits.hits[0]._source + result.autonomous_system.top_as.hits.hits[0].fields ? { number: getOr( null, - `autonomous_system.top_as.hits.hits[0]._source.${ - Object.keys(result.autonomous_system.top_as.hits.hits[0]._source)[0] - }.as.number`, + `autonomous_system.top_as.hits.hits[0].fields['${ + Object.keys(result.autonomous_system.top_as.hits.hits[0].fields)[0].split('.as.')[0] + }.as.number'][0]`, result ), name: getOr( '', - `autonomous_system.top_as.hits.hits[0]._source.${ - Object.keys(result.autonomous_system.top_as.hits.hits[0]._source)[0] - }.as.organization.name`, + `autonomous_system.top_as.hits.hits[0].fields['${ + Object.keys(result.autonomous_system.top_as.hits.hits[0].fields)[0].split('.as')[0] + }.as.organization.name'][0]`, result ), } diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_n_flow/query.top_n_flow_network.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_n_flow/query.top_n_flow_network.dsl.ts index 52efb50f00b4b..0b2653dbd113b 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_n_flow/query.top_n_flow_network.dsl.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_n_flow/query.top_n_flow_network.dsl.ts @@ -67,6 +67,13 @@ export const buildTopNFlowQuery = ({ filter, }, }, + _source: false, + fields: [ + { + field: '@timestamp', + format: 'strict_date_optional_time', + }, + ], }, size: 0, track_total_hits: false, @@ -122,7 +129,14 @@ const getFlowTargetAggs = ( aggs: { top_geo: { top_hits: { - _source: `${flowTarget}.geo.*`, + _source: false, + fields: [ + `${flowTarget}.geo.*`, + { + field: '@timestamp', + format: 'strict_date_optional_time', + }, + ], size: 1, }, }, @@ -137,7 +151,14 @@ const getFlowTargetAggs = ( aggs: { top_as: { top_hits: { - _source: `${flowTarget}.as.*`, + _source: false, + fields: [ + `${flowTarget}.as.*`, + { + field: '@timestamp', + format: 'strict_date_optional_time', + }, + ], size: 1, }, }, diff --git a/x-pack/plugins/security_solution/tsconfig.json b/x-pack/plugins/security_solution/tsconfig.json index cc1656ace3c65..3f24dd6a74438 100644 --- a/x-pack/plugins/security_solution/tsconfig.json +++ b/x-pack/plugins/security_solution/tsconfig.json @@ -43,6 +43,7 @@ { "path": "../spaces/tsconfig.json" }, { "path": "../security/tsconfig.json" }, { "path": "../timelines/tsconfig.json" }, - { "path": "../session_view/tsconfig.json" } + { "path": "../session_view/tsconfig.json" }, + { "path": "../kubernetes_security/tsconfig.json" } ] } diff --git a/x-pack/plugins/session_view/common/constants.ts b/x-pack/plugins/session_view/common/constants.ts index 1781d0d37086b..2bb69bcec9fa2 100644 --- a/x-pack/plugins/session_view/common/constants.ts +++ b/x-pack/plugins/session_view/common/constants.ts @@ -9,7 +9,7 @@ export const PROCESS_EVENTS_ROUTE = '/internal/session_view/process_events_route export const ALERTS_ROUTE = '/internal/session_view/alerts_route'; export const ALERT_STATUS_ROUTE = '/internal/session_view/alert_status_route'; export const SESSION_ENTRY_LEADERS_ROUTE = '/internal/session_view/session_entry_leaders_route'; -export const PROCESS_EVENTS_INDEX = 'logs-endpoint.events.process-*'; +export const PROCESS_EVENTS_INDEX = 'logs-endpoint.events.process*'; export const PREVIEW_ALERTS_INDEX = '.preview.alerts-security.alerts-default'; export const ENTRY_SESSION_ENTITY_ID_PROPERTY = 'process.entry_leader.entity_id'; export const ALERT_UUID_PROPERTY = 'kibana.alert.uuid'; diff --git a/x-pack/plugins/session_view/public/components/process_tree/hooks.ts b/x-pack/plugins/session_view/public/components/process_tree/hooks.ts index bd753ab28c455..c742c7cd59569 100644 --- a/x-pack/plugins/session_view/public/components/process_tree/hooks.ts +++ b/x-pack/plugins/session_view/public/components/process_tree/hooks.ts @@ -306,7 +306,9 @@ export const useProcessTree = ({ const newProcessedPages: ProcessEventsPage[] = []; data.forEach((page, i) => { - const processed = processedPages.find((p) => p.cursor === page.cursor); + const processed = processedPages.find( + (p) => p.cursor === page.cursor && p.events?.length === page.events?.length + ); if (!processed) { const backwards = i < processedPages.length; diff --git a/x-pack/plugins/session_view/public/components/session_view/index.test.tsx b/x-pack/plugins/session_view/public/components/session_view/index.test.tsx index 2caaf47b3d79d..159a3782be259 100644 --- a/x-pack/plugins/session_view/public/components/session_view/index.test.tsx +++ b/x-pack/plugins/session_view/public/components/session_view/index.test.tsx @@ -127,6 +127,13 @@ describe('SessionView component', () => { expect(renderResult.getByText('Timestamp')).toBeTruthy(); expect(renderResult.getByText('Verbose mode')).toBeTruthy(); }); + + it('should show refresh button', async () => { + render(); + await waitForApiCall(); + + expect(renderResult.getAllByTestId('sessionView:sessionViewRefreshButton')).toBeTruthy(); + }); }); }); }); diff --git a/x-pack/plugins/session_view/public/components/session_view/index.tsx b/x-pack/plugins/session_view/public/components/session_view/index.tsx index 036485915cce8..1c099e056df88 100644 --- a/x-pack/plugins/session_view/public/components/session_view/index.tsx +++ b/x-pack/plugins/session_view/public/components/session_view/index.tsx @@ -14,6 +14,7 @@ import { EuiHorizontalRule, EuiFlexGroup, EuiBetaBadge, + EuiButtonIcon, } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; import { FormattedMessage } from '@kbn/i18n-react'; @@ -116,6 +117,7 @@ export const SessionView = ({ isFetching, fetchPreviousPage, hasPreviousPage, + refetch, } = useFetchSessionViewProcessEvents(sessionEntityId, currentJumpToCursor); const { @@ -124,8 +126,14 @@ export const SessionView = ({ isFetching: isFetchingAlerts, hasNextPage: hasNextPageAlerts, error: alertsError, + refetch: refetchAlerts, } = useFetchSessionViewAlerts(sessionEntityId, investigatedAlertId); + const handleRefresh = useCallback(() => { + refetch({ refetchPage: (page, index, allPages) => allPages.length - 1 === index }); + refetchAlerts({ refetchPage: (page, index, allPages) => allPages.length - 1 === index }); + }, [refetch, refetchAlerts]); + const alerts = useMemo(() => { let events: ProcessEvent[] = []; @@ -236,6 +244,18 @@ export const SessionView = ({ /> + + + + { const client = await ruleRegistry.getRacClientWithRequest(request); const { sessionEntityId, investigatedAlertId, range, cursor } = request.query; - const body = await searchAlerts( - client, - sessionEntityId, - ALERTS_PER_PAGE, - investigatedAlertId, - range, - cursor - ); - return response.ok({ body }); + try { + const body = await searchAlerts( + client, + sessionEntityId, + ALERTS_PER_PAGE, + investigatedAlertId, + range, + cursor + ); + + return response.ok({ body }); + } catch (err) { + return response.badRequest(err.message); + } } ); }; @@ -70,60 +75,69 @@ export const searchAlerts = async ( return { events: [] }; } - const results = await client.find({ - query: { - bool: { - must: [ - { - term: { - [ENTRY_SESSION_ENTITY_ID_PROPERTY]: sessionEntityId, + try { + const results = await client.find({ + query: { + bool: { + must: [ + { + term: { + [ENTRY_SESSION_ENTITY_ID_PROPERTY]: sessionEntityId, + }, }, - }, - range && { - range: { - [ALERT_ORIGINAL_TIME_PROPERTY]: { - gte: range[0], - lte: range[1], + range && { + range: { + [ALERT_ORIGINAL_TIME_PROPERTY]: { + gte: range[0], + lte: range[1], + }, }, }, - }, - ].filter((item) => !!item), - }, - }, - track_total_hits: true, - size, - index: indices.join(','), - sort: [{ '@timestamp': 'asc' }], - search_after: cursor ? [cursor] : undefined, - }); - - // if an alert is being investigated, fetch it on it's own, as it's not guaranteed to come back in the above request. - // we only need to do this for the first page of alerts. - if (!cursor && investigatedAlertId) { - const investigatedAlertSearch = await client.find({ - query: { - match: { - [ALERT_UUID_PROPERTY]: investigatedAlertId, + ].filter((item) => !!item), }, }, - size: 1, + track_total_hits: true, + size, index: indices.join(','), + sort: [{ '@timestamp': 'asc' }], + search_after: cursor ? [cursor] : undefined, }); - if (investigatedAlertSearch.hits.hits.length > 0) { - results.hits.hits.unshift(investigatedAlertSearch.hits.hits[0]); + // if an alert is being investigated, fetch it on it's own, as it's not guaranteed to come back in the above request. + // we only need to do this for the first page of alerts. + if (!cursor && investigatedAlertId) { + const investigatedAlertSearch = await client.find({ + query: { + match: { + [ALERT_UUID_PROPERTY]: investigatedAlertId, + }, + }, + size: 1, + index: indices.join(','), + }); + + if (investigatedAlertSearch.hits.hits.length > 0) { + results.hits.hits.unshift(investigatedAlertSearch.hits.hits[0]); + } } - } - const events = results.hits.hits.map((hit: any) => { - // the alert indexes flattens many properties. this util unflattens them as session view expects structured json. - hit._source = expandDottedObject(hit._source); + const events = results.hits.hits.map((hit: any) => { + // the alert indexes flattens many properties. this util unflattens them as session view expects structured json. + hit._source = expandDottedObject(hit._source); - return hit; - }); + return hit; + }); + + const total = + typeof results.hits.total === 'number' ? results.hits.total : results.hits.total?.value; - const total = - typeof results.hits.total === 'number' ? results.hits.total : results.hits.total?.value; + return { total, events }; + } catch (err) { + // unauthorized + if (err.output.statusCode === 404) { + return { total: 0, events: [] }; + } - return { total, events }; + throw err; + } }; diff --git a/x-pack/plugins/session_view/server/routes/process_events_route.ts b/x-pack/plugins/session_view/server/routes/process_events_route.ts index d101fe3728b79..2bb1aa4579ec9 100644 --- a/x-pack/plugins/session_view/server/routes/process_events_route.ts +++ b/x-pack/plugins/session_view/server/routes/process_events_route.ts @@ -40,16 +40,26 @@ export const registerProcessEventsRoute = ( async (context, request, response) => { const client = (await context.core).elasticsearch.client.asCurrentUser; const alertsClient = await ruleRegistry.getRacClientWithRequest(request); - const { sessionEntityId, cursor, forward = true } = request.query; - const body = await fetchEventsAndScopedAlerts( - client, - alertsClient, - sessionEntityId, - cursor, - forward - ); + const { sessionEntityId, cursor, forward } = request.query; - return response.ok({ body }); + try { + const body = await fetchEventsAndScopedAlerts( + client, + alertsClient, + sessionEntityId, + cursor, + forward + ); + + return response.ok({ body }); + } catch (err) { + // unauthorized + if (err.meta.statusCode === 403) { + return response.ok({ body: { total: 0, events: [] } }); + } + + return response.badRequest(err.message); + } } ); }; @@ -58,7 +68,7 @@ export const fetchEventsAndScopedAlerts = async ( client: ElasticsearchClient, alertsClient: AlertsClient, sessionEntityId: string, - cursor: string | undefined, + cursor?: string, forward = true ) => { const cursorMillis = cursor && new Date(cursor).getTime() + (forward ? -1 : 1); diff --git a/x-pack/plugins/synthetics/common/constants/monitor_management.ts b/x-pack/plugins/synthetics/common/constants/monitor_management.ts index db010391839d5..96b261562a4da 100644 --- a/x-pack/plugins/synthetics/common/constants/monitor_management.ts +++ b/x-pack/plugins/synthetics/common/constants/monitor_management.ts @@ -12,7 +12,7 @@ export enum ConfigKey { ENABLED = 'enabled', HOSTS = 'hosts', IGNORE_HTTPS_ERRORS = 'ignore_https_errors', - MONITOR_SOURCE_TYPE = 'monitor.origin', + MONITOR_SOURCE_TYPE = 'origin', JOURNEY_FILTERS_MATCH = 'filter_journeys.match', JOURNEY_FILTERS_TAGS = 'filter_journeys.tags', JOURNEY_ID = 'journey_id', diff --git a/x-pack/plugins/synthetics/common/constants/ui.ts b/x-pack/plugins/synthetics/common/constants/ui.ts index 994cc20536723..226eda1986886 100644 --- a/x-pack/plugins/synthetics/common/constants/ui.ts +++ b/x-pack/plugins/synthetics/common/constants/ui.ts @@ -14,7 +14,10 @@ export const MONITOR_EDIT_ROUTE = '/edit-monitor/:monitorId'; export const MONITOR_MANAGEMENT_ROUTE = '/manage-monitors'; export const OVERVIEW_ROUTE = '/'; -export const GETTING_STARTED_ROUTE = '/manage-monitors/getting-started'; + +export const MONITORS_ROUTE = '/monitors'; + +export const GETTING_STARTED_ROUTE = '/monitors/getting-started'; export const SETTINGS_ROUTE = '/settings'; diff --git a/x-pack/plugins/synthetics/common/runtime_types/monitor_management/monitor_types.ts b/x-pack/plugins/synthetics/common/runtime_types/monitor_management/monitor_types.ts index 2b343cfa68883..3351d3da6140c 100644 --- a/x-pack/plugins/synthetics/common/runtime_types/monitor_management/monitor_types.ts +++ b/x-pack/plugins/synthetics/common/runtime_types/monitor_management/monitor_types.ts @@ -315,12 +315,20 @@ export const EncryptedSyntheticsMonitorWithIdCodec = t.intersection([ t.interface({ id: t.string }), ]); +// TODO: Remove EncryptedSyntheticsMonitorWithIdCodec (as well as SyntheticsMonitorWithIdCodec if possible) along with respective TypeScript types in favor of EncryptedSyntheticsSavedMonitorCodec +export const EncryptedSyntheticsSavedMonitorCodec = t.intersection([ + EncryptedSyntheticsMonitorCodec, + t.interface({ id: t.string, updated_at: t.string }), +]); + export type SyntheticsMonitorWithId = t.TypeOf; export type EncryptedSyntheticsMonitorWithId = t.TypeOf< typeof EncryptedSyntheticsMonitorWithIdCodec >; +export type EncryptedSyntheticsSavedMonitor = t.TypeOf; + export const MonitorDefaultsCodec = t.interface({ [DataStream.HTTP]: HTTPFieldsCodec, [DataStream.TCP]: TCPFieldsCodec, diff --git a/x-pack/plugins/synthetics/e2e/journeys/index.ts b/x-pack/plugins/synthetics/e2e/journeys/index.ts index 6f1d733e10537..8ebfb96262d98 100644 --- a/x-pack/plugins/synthetics/e2e/journeys/index.ts +++ b/x-pack/plugins/synthetics/e2e/journeys/index.ts @@ -5,15 +5,15 @@ * 2.0. */ -export * from './synthetics'; -export * from './data_view_permissions'; +// export * from './synthetics'; // TODO: Enable these in a follow up PR +// export * from './data_view_permissions'; // TODO: Enable these in a follow up PR export * from './uptime.journey'; export * from './step_duration.journey'; -export * from './alerts'; -export * from './read_only_user'; -export * from './monitor_details.journey'; -export * from './monitor_name.journey'; -export * from './monitor_management.journey'; -export * from './monitor_management_enablement.journey'; -export * from './monitor_details'; +// export * from './alerts'; // TODO: Enable these in a follow up PR +// export * from './read_only_user'; // TODO: Enable these in a follow up PR +// export * from './monitor_details.journey'; // TODO: Enable these in a follow up PR +// export * from './monitor_name.journey'; // TODO: Enable these in a follow up PR +// export * from './monitor_management.journey'; // TODO: Enable these in a follow up PR +// export * from './monitor_management_enablement.journey'; // TODO: Enable these in a follow up PR +// export * from './monitor_details'; // TODO: Enable these in a follow up PR export * from './locations'; diff --git a/x-pack/plugins/synthetics/e2e/playwright_run.ts b/x-pack/plugins/synthetics/e2e/parse_args_params.ts similarity index 55% rename from x-pack/plugins/synthetics/e2e/playwright_run.ts rename to x-pack/plugins/synthetics/e2e/parse_args_params.ts index 1b5cd959f8e87..9e7819bee5d2e 100644 --- a/x-pack/plugins/synthetics/e2e/playwright_run.ts +++ b/x-pack/plugins/synthetics/e2e/parse_args_params.ts @@ -4,9 +4,8 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { FtrConfigProviderContext } from '@kbn/test'; + import yargs from 'yargs'; -import { playwrightRunTests } from './playwright_start'; const { argv } = yargs(process.argv.slice(2)) .option('headless', { @@ -14,6 +13,11 @@ const { argv } = yargs(process.argv.slice(2)) type: 'boolean', description: 'Start in headless mode', }) + .option('pauseOnError', { + default: false, + type: 'boolean', + description: 'Pause on error', + }) .option('grep', { default: undefined, type: 'string', @@ -21,15 +25,4 @@ const { argv } = yargs(process.argv.slice(2)) }) .help(); -const { headless, grep } = argv; - -async function runE2ETests({ readConfigFile }: FtrConfigProviderContext) { - const kibanaConfig = await readConfigFile(require.resolve('./config.ts')); - return { - ...kibanaConfig.getAll(), - testRunner: playwrightRunTests({ headless, match: grep }), - }; -} - -// eslint-disable-next-line import/no-default-export -export default runE2ETests; +export { argv }; diff --git a/x-pack/plugins/synthetics/e2e/playwright_start.ts b/x-pack/plugins/synthetics/e2e/playwright_start.ts deleted file mode 100644 index d387ce30fbf20..0000000000000 --- a/x-pack/plugins/synthetics/e2e/playwright_start.ts +++ /dev/null @@ -1,62 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -/* eslint-disable no-console */ - -import Url from 'url'; -import { run as playwrightRun } from '@elastic/synthetics'; -import { createApmUsers } from '@kbn/apm-plugin/scripts/create_apm_users/create_apm_users'; -import { esArchiverLoad, esArchiverUnload } from './tasks/es_archiver'; - -import './journeys'; - -export function playwrightRunTests({ headless, match }: { headless: boolean; match?: string }) { - return async ({ getService }: any) => { - const results = await playwrightStart(getService, headless, match); - - Object.entries(results).forEach(([_journey, result]) => { - if (result.status !== 'succeeded') { - throw new Error('Tests failed'); - } - }); - }; -} - -async function playwrightStart(getService: any, headless = true, match?: string) { - console.log('Loading esArchiver...'); - const esArchiver = getService('esArchiver'); - - esArchiverLoad('full_heartbeat'); - esArchiverLoad('browser'); - - const config = getService('config'); - - await esArchiver.loadIfNeeded('x-pack/test/functional/es_archives/ml/farequote'); - - const kibanaUrl = Url.format({ - protocol: config.get('servers.kibana.protocol'), - hostname: config.get('servers.kibana.hostname'), - port: config.get('servers.kibana.port'), - }); - - await createApmUsers({ - elasticsearch: { username: 'elastic', password: 'changeme' }, - kibana: { hostname: kibanaUrl }, - }); - - const res = await playwrightRun({ - params: { kibanaUrl, getService }, - playwrightOptions: { headless, chromiumSandbox: false, timeout: 60 * 1000 }, - match: match === 'undefined' ? '' : match, - }); - - console.log('Removing esArchiver...'); - esArchiverUnload('full_heartbeat'); - esArchiverUnload('browser'); - - return res; -} diff --git a/x-pack/plugins/synthetics/e2e/synthetics_run.ts b/x-pack/plugins/synthetics/e2e/synthetics_run.ts new file mode 100644 index 0000000000000..345e153a8c86c --- /dev/null +++ b/x-pack/plugins/synthetics/e2e/synthetics_run.ts @@ -0,0 +1,41 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { FtrConfigProviderContext } from '@kbn/test'; +import path from 'path'; +import { SyntheticsRunner } from './synthetics_start'; + +import { argv } from './parse_args_params'; + +const { headless, grep, pauseOnError } = argv; + +async function runE2ETests({ readConfigFile }: FtrConfigProviderContext) { + const kibanaConfig = await readConfigFile(require.resolve('./config.ts')); + return { + ...kibanaConfig.getAll(), + testRunner: async ({ getService }: any) => { + const syntheticsRunner = new SyntheticsRunner(getService, { + headless, + match: grep, + pauseOnError, + }); + + await syntheticsRunner.setup(); + const fixturesDir = path.join(__dirname, '../e2e/fixtures/es_archiver/'); + + await syntheticsRunner.loadTestData(fixturesDir, ['full_heartbeat', 'browser']); + + await syntheticsRunner.loadTestFiles(async () => { + require('./journeys'); + }); + + await syntheticsRunner.run(); + }, + }; +} + +// eslint-disable-next-line import/no-default-export +export default runE2ETests; diff --git a/x-pack/plugins/synthetics/e2e/synthetics_start.ts b/x-pack/plugins/synthetics/e2e/synthetics_start.ts new file mode 100644 index 0000000000000..9f7a6a7e97821 --- /dev/null +++ b/x-pack/plugins/synthetics/e2e/synthetics_start.ts @@ -0,0 +1,106 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +/* eslint-disable no-console */ + +import Url from 'url'; +import { run as syntheticsRun } from '@elastic/synthetics'; +import { PromiseType } from 'utility-types'; +import { createApmUsers } from '@kbn/apm-plugin/scripts/create_apm_users/create_apm_users'; + +import { esArchiverUnload } from './tasks/es_archiver'; + +export interface ArgParams { + headless: boolean; + match?: string; + pauseOnError: boolean; +} + +export class SyntheticsRunner { + public getService: any; + public kibanaUrl: string; + + public testFilesLoaded: boolean = false; + + public params: ArgParams; + + constructor(getService: any, params: ArgParams) { + this.getService = getService; + this.kibanaUrl = this.getKibanaUrl(); + this.params = params; + } + + async setup() { + await this.createTestUsers(); + } + + async createTestUsers() { + await createApmUsers({ + elasticsearch: { username: 'elastic', password: 'changeme' }, + kibana: { hostname: this.kibanaUrl }, + }); + } + + async loadTestFiles(callback: () => Promise) { + console.log('Loading test files'); + await callback(); + this.testFilesLoaded = true; + console.log('Successfully loaded test files'); + } + + async loadTestData(e2eDir: string, dataArchives: string[]) { + console.log('Loading esArchiver...'); + + const esArchiver = this.getService('esArchiver'); + + const promises = dataArchives.map((archive) => esArchiver.loadIfNeeded(e2eDir + archive)); + + await Promise.all([ + ...promises, + esArchiver.loadIfNeeded('x-pack/test/functional/es_archives/ml/farequote'), + ]); + } + + getKibanaUrl() { + const config = this.getService('config'); + + return Url.format({ + protocol: config.get('servers.kibana.protocol'), + hostname: config.get('servers.kibana.hostname'), + port: config.get('servers.kibana.port'), + }); + } + + async run() { + if (!this.testFilesLoaded) { + throw new Error('Test files not loaded'); + } + const { headless, match, pauseOnError } = this.params; + const results = await syntheticsRun({ + params: { kibanaUrl: this.kibanaUrl, getService: this.getService }, + playwrightOptions: { headless, chromiumSandbox: false, timeout: 60 * 1000 }, + match: match === 'undefined' ? '' : match, + pauseOnError, + }); + + await this.assertResults(results); + } + + assertResults(results: PromiseType>) { + Object.entries(results).forEach(([_journey, result]) => { + if (result.status !== 'succeeded') { + throw new Error('Tests failed'); + } + }); + } + + cleanUp() { + console.log('Removing esArchiver...'); + esArchiverUnload('full_heartbeat'); + esArchiverUnload('browser'); + } +} diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/common/pages/synthetics_page_template.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/common/pages/synthetics_page_template.tsx index 50497c4c9214c..95ec1c5a62975 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/components/common/pages/synthetics_page_template.tsx +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/common/pages/synthetics_page_template.tsx @@ -11,9 +11,9 @@ import { EuiPageHeaderProps, EuiPageTemplateProps } from '@elastic/eui'; import { useKibana } from '@kbn/kibana-react-plugin/public'; import { useInspectorContext } from '@kbn/observability-plugin/public'; import { ClientPluginsStart } from '../../../../../plugin'; -import { EmptyStateLoading } from '../../overview/empty_state/empty_state_loading'; -import { EmptyStateError } from '../../overview/empty_state/empty_state_error'; -import { useHasData } from '../../overview/empty_state/use_has_data'; +import { EmptyStateLoading } from '../../monitors_page/overview/empty_state/empty_state_loading'; +import { EmptyStateError } from '../../monitors_page/overview/empty_state/empty_state_error'; +import { useHasData } from '../../monitors_page/overview/empty_state/use_has_data'; import { useBreakpoints } from '../../../hooks'; interface Props { diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/getting_started/form_fields/service_locations.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/getting_started/form_fields/service_locations.tsx index 252b650cc7058..f345b79ae5488 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/components/getting_started/form_fields/service_locations.tsx +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/getting_started/form_fields/service_locations.tsx @@ -5,12 +5,14 @@ * 2.0. */ -import { EuiComboBox, EuiFormRow } from '@elastic/eui'; -import { Controller, FieldErrors, Control } from 'react-hook-form'; import React from 'react'; -import { i18n } from '@kbn/i18n'; +import { Controller, FieldErrors, Control } from 'react-hook-form'; import { useSelector } from 'react-redux'; -import { serviceLocationsSelector } from '../../../state/monitor_management/selectors'; + +import { EuiComboBox, EuiFormRow } from '@elastic/eui'; +import { i18n } from '@kbn/i18n'; +import { selectServiceLocationsState } from '../../../state'; + import { SimpleFormData } from '../simple_monitor_form'; import { ConfigKey } from '../../../../../../common/constants/monitor_management'; @@ -21,7 +23,7 @@ export const ServiceLocationsField = ({ errors: FieldErrors; control: Control; }) => { - const locations = useSelector(serviceLocationsSelector); + const { locations } = useSelector(selectServiceLocationsState); return ( { const dispatch = useDispatch(); useEffect(() => { - dispatch(fetchServiceLocationsAction.get()); + dispatch(getServiceLocations()); }, [dispatch]); useBreadcrumbs([{ text: MONITORING_OVERVIEW_LABEL }]); // No extra breadcrumbs on overview diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/getting_started/use_simple_monitor.ts b/x-pack/plugins/synthetics/public/apps/synthetics/components/getting_started/use_simple_monitor.ts index 81585a9f26a99..d8d645451c18a 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/components/getting_started/use_simple_monitor.ts +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/getting_started/use_simple_monitor.ts @@ -9,18 +9,22 @@ import { useFetcher } from '@kbn/observability-plugin/public'; import { useEffect } from 'react'; import { useKibana } from '@kbn/kibana-react-plugin/public'; import { useSelector } from 'react-redux'; -import { serviceLocationsSelector } from '../../state/monitor_management/selectors'; -import { showSyncErrors } from '../monitor_management/show_sync_errors'; -import { createMonitorAPI } from '../../state/monitor_management/api'; +import { selectServiceLocationsState } from '../../state'; +import { showSyncErrors } from '../monitors_page/management/show_sync_errors'; +import { fetchCreateMonitor } from '../../state'; import { DEFAULT_FIELDS } from '../../../../../common/constants/monitor_defaults'; import { ConfigKey } from '../../../../../common/constants/monitor_management'; -import { DataStream, SyntheticsMonitorWithId } from '../../../../../common/runtime_types'; +import { + DataStream, + ServiceLocationErrors, + SyntheticsMonitorWithId, +} from '../../../../../common/runtime_types'; import { MONITOR_SUCCESS_LABEL, MY_FIRST_MONITOR, SimpleFormData } from './simple_monitor_form'; import { kibanaService } from '../../../../utils/kibana_service'; export const useSimpleMonitor = ({ monitorData }: { monitorData?: SimpleFormData }) => { const { application } = useKibana().services; - const locationsList = useSelector(serviceLocationsSelector); + const { locations: serviceLocations } = useSelector(selectServiceLocationsState); const { data, loading } = useFetcher(() => { if (!monitorData) { @@ -28,7 +32,7 @@ export const useSimpleMonitor = ({ monitorData }: { monitorData?: SimpleFormData } const { urls, locations } = monitorData; - return createMonitorAPI({ + return fetchCreateMonitor({ monitor: { ...DEFAULT_FIELDS.browser, 'source.inline.script': `step('Go to ${urls}', async () => { @@ -46,7 +50,11 @@ export const useSimpleMonitor = ({ monitorData }: { monitorData?: SimpleFormData const newMonitor = data as SyntheticsMonitorWithId; const hasErrors = data && 'attributes' in data && data.attributes.errors?.length > 0; if (hasErrors && !loading) { - showSyncErrors(data.attributes.errors, locationsList, kibanaService.toasts); + showSyncErrors( + (data as { attributes: { errors: ServiceLocationErrors } })?.attributes.errors ?? [], + serviceLocations, + kibanaService.toasts + ); } if (!loading && newMonitor?.id) { @@ -56,7 +64,7 @@ export const useSimpleMonitor = ({ monitorData }: { monitorData?: SimpleFormData }); application?.navigateToApp('uptime', { path: `/monitor/${btoa(newMonitor.id)}` }); } - }, [application, data, loading, locationsList]); + }, [application, data, loading, serviceLocations]); return { data, loading }; }; diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitor_management/monitor_management_page.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitor_management/monitor_management_page.tsx deleted file mode 100644 index 7c20fcfe1c143..0000000000000 --- a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitor_management/monitor_management_page.tsx +++ /dev/null @@ -1,39 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import React, { useEffect } from 'react'; -import { useTrackPageview } from '@kbn/observability-plugin/public'; -import { useDispatch, useSelector } from 'react-redux'; -import { Redirect } from 'react-router-dom'; -import { monitorListSelector } from '../../state/monitor_management/selectors'; -import { fetchMonitorListAction } from '../../state/monitor_management/monitor_list'; -import { GETTING_STARTED_ROUTE } from '../../../../../common/constants'; -import { useMonitorManagementBreadcrumbs } from './use_breadcrumbs'; - -export const MonitorManagementPage: React.FC = () => { - useTrackPageview({ app: 'synthetics', path: 'manage-monitors' }); - useTrackPageview({ app: 'synthetics', path: 'manage-monitors', delay: 15000 }); - useMonitorManagementBreadcrumbs(); - - const dispatch = useDispatch(); - - const { total } = useSelector(monitorListSelector); - - useEffect(() => { - dispatch(fetchMonitorListAction.get()); - }, [dispatch]); - - if (total === 0) { - return ; - } - - return ( - <> -

This page is under construction and will be updated in a future release

- - ); -}; diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitor_management/use_breadcrumbs.ts b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/hooks/use_breadcrumbs.ts similarity index 65% rename from x-pack/plugins/synthetics/public/apps/synthetics/components/monitor_management/use_breadcrumbs.ts rename to x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/hooks/use_breadcrumbs.ts index 30d23128d1e82..e13e982203e1a 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitor_management/use_breadcrumbs.ts +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/hooks/use_breadcrumbs.ts @@ -6,22 +6,22 @@ */ import { i18n } from '@kbn/i18n'; import { useKibana } from '@kbn/kibana-react-plugin/public'; -import { useBreadcrumbs } from '../../hooks/use_breadcrumbs'; -import { MONITOR_MANAGEMENT_ROUTE } from '../../../../../common/constants'; -import { PLUGIN } from '../../../../../common/constants/plugin'; +import { useBreadcrumbs } from '../../../hooks/use_breadcrumbs'; +import { MONITORS_ROUTE } from '../../../../../../common/constants'; +import { PLUGIN } from '../../../../../../common/constants/plugin'; -export const useMonitorManagementBreadcrumbs = () => { +export const useMonitorListBreadcrumbs = () => { const kibana = useKibana(); const appPath = kibana.services.application?.getUrlForApp(PLUGIN.SYNTHETICS_PLUGIN_ID) ?? ''; useBreadcrumbs([ { text: MONITOR_MANAGEMENT_CRUMB, - href: `${appPath}/${MONITOR_MANAGEMENT_ROUTE}`, + href: `${appPath}/${MONITORS_ROUTE}`, }, ]); }; -const MONITOR_MANAGEMENT_CRUMB = i18n.translate('xpack.synthetics.monitorsPage.monitorCrumb', { +const MONITOR_MANAGEMENT_CRUMB = i18n.translate('xpack.synthetics.monitorsPage.monitorsMCrumb', { defaultMessage: 'Monitors', }); diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/hooks/use_inline_errors.ts b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/hooks/use_inline_errors.ts new file mode 100644 index 0000000000000..aaf94f46e283a --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/hooks/use_inline_errors.ts @@ -0,0 +1,110 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { useSelector } from 'react-redux'; +import moment from 'moment'; +import { useMemo } from 'react'; +import { useEsSearch } from '@kbn/observability-plugin/public'; +import { selectEncryptedSyntheticsSavedMonitors } from '../../../state'; +import { Ping } from '../../../../../../common/runtime_types'; +import { EXCLUDE_RUN_ONCE_FILTER } from '../../../../../../common/constants/client_defaults'; +import { useSyntheticsRefreshContext } from '../../../contexts/synthetics_refresh_context'; +import { useInlineErrorsCount } from './use_inline_errors_count'; +import { SYNTHETICS_INDEX_PATTERN } from '../../../../../../common/constants'; + +const sortFieldMap: Record = { + ['name.keyword']: 'monitor.name', + ['urls.keyword']: 'url.full', + ['type.keyword']: 'monitor.type', + '@timestamp': '@timestamp', +}; + +export const getInlineErrorFilters = () => [ + { + exists: { + field: 'summary', + }, + }, + { + exists: { + field: 'error', + }, + }, + { + bool: { + minimum_should_match: 1, + should: [ + { + match_phrase: { + 'error.message': 'journey did not finish executing', + }, + }, + { + match_phrase: { + 'error.message': 'ReferenceError:', + }, + }, + ], + }, + }, + { + range: { + 'monitor.timespan': { + lte: moment().toISOString(), + gte: moment().subtract(5, 'minutes').toISOString(), + }, + }, + }, + EXCLUDE_RUN_ONCE_FILTER, +]; + +export function useInlineErrors({ + onlyInvalidMonitors, + sortField = '@timestamp', + sortOrder = 'desc', +}: { + onlyInvalidMonitors?: boolean; + sortField?: string; + sortOrder?: 'asc' | 'desc'; +}) { + const syntheticsMonitors = useSelector(selectEncryptedSyntheticsSavedMonitors); + + const { lastRefresh } = useSyntheticsRefreshContext(); + + const configIds = syntheticsMonitors.map((monitor) => monitor.id); + + const doFetch = configIds.length > 0 || onlyInvalidMonitors; + + const { data } = useEsSearch( + { + index: doFetch ? SYNTHETICS_INDEX_PATTERN : '', + body: { + size: 1000, + query: { + bool: { + filter: getInlineErrorFilters(), + }, + }, + collapse: { field: 'config_id' }, + sort: [{ [sortFieldMap[sortField]]: sortOrder }], + }, + }, + [syntheticsMonitors, lastRefresh, doFetch, sortField, sortOrder], + { name: 'getInvalidMonitors' } + ); + + const { count, loading: countLoading } = useInlineErrorsCount(); + + return useMemo(() => { + const errorSummaries = data?.hits.hits.map(({ _source: source }) => ({ + ...(source as Ping), + timestamp: (source as any)['@timestamp'], + })); + + return { loading: countLoading, errorSummaries, count }; + }, [count, countLoading, data]); +} diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/hooks/use_inline_errors_count.ts b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/hooks/use_inline_errors_count.ts new file mode 100644 index 0000000000000..be6e80e3f8469 --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/hooks/use_inline_errors_count.ts @@ -0,0 +1,47 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { useSelector } from 'react-redux'; +import { useMemo } from 'react'; +import { useEsSearch } from '@kbn/observability-plugin/public'; +import { selectEncryptedSyntheticsSavedMonitors } from '../../../state'; +import { useSyntheticsRefreshContext } from '../../../contexts/synthetics_refresh_context'; +import { getInlineErrorFilters } from './use_inline_errors'; +import { SYNTHETICS_INDEX_PATTERN } from '../../../../../../common/constants'; + +export function useInlineErrorsCount() { + const syntheticsMonitors = useSelector(selectEncryptedSyntheticsSavedMonitors); + + const { lastRefresh } = useSyntheticsRefreshContext(); + + const { data, loading } = useEsSearch( + { + index: SYNTHETICS_INDEX_PATTERN, + body: { + size: 0, + query: { + bool: { + filter: getInlineErrorFilters(), + }, + }, + aggs: { + total: { + cardinality: { field: 'config_id' }, + }, + }, + }, + }, + [syntheticsMonitors, lastRefresh], + { name: 'getInvalidMonitorsCount' } + ); + + return useMemo(() => { + const errorSummariesCount = data?.aggregations?.total.value; + + return { loading: loading ?? false, count: errorSummariesCount }; + }, [data, loading]); +} diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/hooks/use_monitor_list.ts b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/hooks/use_monitor_list.ts new file mode 100644 index 0000000000000..a0e024ef748f8 --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/hooks/use_monitor_list.ts @@ -0,0 +1,51 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { useEffect, useCallback, useState } from 'react'; +import { useDispatch, useSelector } from 'react-redux'; +import { + fetchMonitorListAction, + MonitorListPageState, + selectEncryptedSyntheticsSavedMonitors, + selectMonitorListState, +} from '../../../state'; + +export function useMonitorList() { + const dispatch = useDispatch(); + const [isDataQueried, setIsDataQueried] = useState(false); + + const { pageState, loading, error } = useSelector(selectMonitorListState); + const syntheticsMonitors = useSelector(selectEncryptedSyntheticsSavedMonitors); + + const loadPage = useCallback( + (state: MonitorListPageState) => dispatch(fetchMonitorListAction.get(state)), + [dispatch] + ); + + const reloadPage = useCallback(() => loadPage(pageState), [pageState, loadPage]); + + // Initial loading + useEffect(() => { + if (!loading && !isDataQueried) { + reloadPage(); + } + + if (loading) { + setIsDataQueried(true); + } + }, [reloadPage, isDataQueried, syntheticsMonitors, loading]); + + return { + loading, + error, + pageState, + syntheticsMonitors, + loadPage, + reloadPage, + isDataQueried, + }; +} diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/labels.ts b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/labels.ts new file mode 100644 index 0000000000000..dbece4ae95983 --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/labels.ts @@ -0,0 +1,73 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { i18n } from '@kbn/i18n'; + +export const LOADING_LABEL = i18n.translate( + 'xpack.synthetics.monitorManagement.manageMonitorLoadingLabel', + { + defaultMessage: 'Loading Monitor Management', + } +); + +export const LEARN_MORE_LABEL = i18n.translate( + 'xpack.synthetics.monitorManagement.manageMonitorLoadingLabel.callout.learnMore', + { + defaultMessage: 'Learn more.', + } +); + +export const CALLOUT_MANAGEMENT_DISABLED = i18n.translate( + 'xpack.synthetics.monitorManagement.callout.disabled', + { + defaultMessage: 'Monitor Management is disabled', + } +); + +export const CALLOUT_MANAGEMENT_CONTACT_ADMIN = i18n.translate( + 'xpack.synthetics.monitorManagement.callout.disabled.adminContact', + { + defaultMessage: 'Please contact your administrator to enable Monitor Management.', + } +); + +export const CALLOUT_MANAGEMENT_DESCRIPTION = i18n.translate( + 'xpack.synthetics.monitorManagement.callout.description.disabled', + { + defaultMessage: + 'Monitor Management is currently disabled. To run your monitors on Elastic managed Synthetics service, enable Monitor Management. Your existing monitors are paused.', + } +); + +export const ERROR_HEADING_BODY = i18n.translate( + 'xpack.synthetics.monitorManagement.editMonitorError.description', + { + defaultMessage: 'Monitor Management settings could not be loaded. Please contact Support.', + } +); + +export const SYNTHETICS_ENABLE_LABEL = i18n.translate( + 'xpack.synthetics.monitorManagement.syntheticsEnableLabel.management', + { + defaultMessage: 'Enable Monitor Management', + } +); + +export const ERROR_HEADING_LABEL = i18n.translate( + 'xpack.synthetics.monitorManagement.editMonitorError', + { + defaultMessage: 'Error loading Monitor Management', + } +); + +export const BETA_TOOLTIP_MESSAGE = i18n.translate( + 'xpack.synthetics.monitors.management.betaLabel', + { + defaultMessage: + 'This functionality is in beta and is subject to change. The design and code is less mature than official generally available features and is being provided as-is with no warranties. Beta features are not subject to the support service level agreement of official generally available features.', + } +); diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/loader/loader.test.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/loader/loader.test.tsx new file mode 100644 index 0000000000000..61e32d41af6df --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/loader/loader.test.tsx @@ -0,0 +1,54 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; +import { screen } from '@testing-library/react'; +import { render } from '../../../../utils/testing/rtl_helpers'; +import { Loader } from './loader'; + +describe('', () => { + beforeEach(() => { + jest.clearAllMocks(); + }); + + it('shows children when loading and error are both false', () => { + render( + + {'children'} + + ); + + expect(screen.getByText('children')).toBeInTheDocument(); + }); + + it('shows loading when loading is true', () => { + render( + + {'children'} + + ); + + expect(screen.getByText('loading')).toBeInTheDocument(); + }); + + it('shows error content when error is true ', () => { + render( + + {'children'} + + ); + + expect(screen.getByText('A problem occurred')).toBeInTheDocument(); + expect(screen.getByText('Please try again')).toBeInTheDocument(); + }); +}); diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/loader/loader.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/loader/loader.tsx new file mode 100644 index 0000000000000..fbaf5c1d536cf --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/loader/loader.tsx @@ -0,0 +1,52 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; +import { EuiEmptyPrompt, EuiLoadingLogo, EuiSpacer } from '@elastic/eui'; + +interface Props { + loading: boolean; + loadingTitle: React.ReactNode; + error: boolean; + errorTitle?: React.ReactNode; + errorBody?: React.ReactNode; + children: React.ReactNode; +} + +export const Loader = ({ + loading, + loadingTitle, + error, + errorTitle, + errorBody, + children, +}: Props) => { + return ( + <> + {!loading && !error ? children : null} + {error && !loading ? ( + <> + + {errorTitle}} + body={

{errorBody}

} + /> + + ) : null} + {loading ? ( + } + title={

{loadingTitle}

} + data-test-subj="uptimeLoader" + /> + ) : null} + + ); +}; diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_errors/monitor_async_error.test.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_errors/monitor_async_error.test.tsx new file mode 100644 index 0000000000000..7bf951b671c95 --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_errors/monitor_async_error.test.tsx @@ -0,0 +1,117 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { SyntheticsAppState } from '../../../../state/root_reducer'; +import { screen } from '@testing-library/react'; +import React from 'react'; +import { ConfigKey, DEFAULT_THROTTLING } from '../../../../../../../common/runtime_types'; +import { render } from '../../../../utils/testing/rtl_helpers'; +import { MonitorListState, ServiceLocationsState } from '../../../../state'; +import { MonitorAsyncError } from './monitor_async_error'; + +describe('', () => { + const location1 = 'US Central'; + const location2 = 'US North'; + const reason1 = 'Unauthorized'; + const reason2 = 'Forbidden'; + const status1 = 401; + const status2 = 403; + const state: Partial = { + serviceLocations: { + locations: [ + { + id: 'us_central', + label: location1, + geo: { + lat: 0, + lon: 0, + }, + url: '', + isServiceManaged: true, + }, + { + id: 'us_north', + label: location2, + geo: { + lat: 0, + lon: 0, + }, + url: '', + isServiceManaged: true, + }, + ], + throttling: DEFAULT_THROTTLING, + loading: false, + error: null, + } as ServiceLocationsState, + monitorList: { + error: null, + loading: true, + data: { + perPage: 5, + page: 1, + total: 6, + monitors: [], + syncErrors: [ + { + locationId: 'us_central', + error: { + reason: reason1, + status: status1, + }, + }, + { + locationId: 'us_north', + error: { + reason: reason2, + status: status2, + }, + }, + ], + }, + pageState: { + pageIndex: 1, + pageSize: 10, + sortOrder: 'asc', + sortField: `${ConfigKey.NAME}.keyword`, + }, + } as MonitorListState, + }; + + it('renders when errors are defined', () => { + render(, { state }); + + expect(screen.getByText(new RegExp(reason1))).toBeInTheDocument(); + expect(screen.getByText(new RegExp(`${status1}`))).toBeInTheDocument(); + expect(screen.getByText(new RegExp(reason2))).toBeInTheDocument(); + expect(screen.getByText(new RegExp(`${status2}`))).toBeInTheDocument(); + expect(screen.getByText(new RegExp(location1))).toBeInTheDocument(); + expect(screen.getByText(new RegExp(location2))).toBeInTheDocument(); + }); + + it('renders null when errors are empty', () => { + render(, { + state: { + ...state, + monitorList: { + ...state.monitorList, + data: { + ...(state.monitorList?.data ?? {}), + syncErrors: [], + }, + }, + } as SyntheticsAppState, + }); + + expect(screen.queryByText(new RegExp(reason1))).not.toBeInTheDocument(); + expect(screen.queryByText(new RegExp(`${status1}`))).not.toBeInTheDocument(); + expect(screen.queryByText(new RegExp(reason2))).not.toBeInTheDocument(); + expect(screen.queryByText(new RegExp(`${status2}`))).not.toBeInTheDocument(); + expect(screen.queryByText(new RegExp(location1))).not.toBeInTheDocument(); + expect(screen.queryByText(new RegExp(location2))).not.toBeInTheDocument(); + }); +}); diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_errors/monitor_async_error.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_errors/monitor_async_error.tsx new file mode 100644 index 0000000000000..4f285dcb911d1 --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_errors/monitor_async_error.tsx @@ -0,0 +1,87 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import React, { useState } from 'react'; +import { useSelector } from 'react-redux'; +import { i18n } from '@kbn/i18n'; +import { FormattedMessage } from '@kbn/i18n-react'; +import { EuiButton, EuiCallOut, EuiSpacer } from '@elastic/eui'; +import { selectMonitorListState, selectServiceLocationsState } from '../../../../state'; + +export const MonitorAsyncError = () => { + const [isDismissed, setIsDismissed] = useState(false); + const { + data: { syncErrors }, + } = useSelector(selectMonitorListState); + const { locations } = useSelector(selectServiceLocationsState); + + return syncErrors && syncErrors.length > 0 && !isDismissed ? ( + <> + + } + color="warning" + iconType="alert" + > +

+ +

+
    + {Object.values(syncErrors ?? {}).map((e) => { + return ( +
  • + {`${ + locations.find((location) => location.id === e.locationId)?.label + } - ${STATUS_LABEL}: ${e.error?.status ?? NOT_AVAILABLE_LABEL}; ${REASON_LABEL}: ${ + e.error?.reason ?? NOT_AVAILABLE_LABEL + }`} +
    • + ); + })} +
+ setIsDismissed(true)} color="warning"> + {DISMISS_LABEL} + + + + + ) : null; +}; + +const REASON_LABEL = i18n.translate( + 'xpack.synthetics.monitorManagement.monitorSync.failure.reasonLabel', + { + defaultMessage: 'Reason', + } +); + +const STATUS_LABEL = i18n.translate( + 'xpack.synthetics.monitorManagement.monitorSync.failure.statusLabel', + { + defaultMessage: 'Status', + } +); + +const NOT_AVAILABLE_LABEL = i18n.translate( + 'xpack.synthetics.monitorManagement.monitorSync.failure.notAvailable', + { + defaultMessage: 'Not available', + } +); + +const DISMISS_LABEL = i18n.translate( + 'xpack.synthetics.monitorManagement.monitorSync.failure.dismissLabel', + { + defaultMessage: 'Dismiss', + } +); diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_list_container.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_list_container.tsx new file mode 100644 index 0000000000000..0a9d253d287fc --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_list_container.tsx @@ -0,0 +1,49 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; + +import { useMonitorList } from '../hooks/use_monitor_list'; +import { MonitorList } from './monitor_list_table/monitor_list'; +import { MonitorAsyncError } from './monitor_errors/monitor_async_error'; +import { useInlineErrors } from '../hooks/use_inline_errors'; + +export const MonitorListContainer = ({ isEnabled }: { isEnabled?: boolean }) => { + const { + pageState, + error, + loading: monitorsLoading, + syntheticsMonitors, + loadPage, + reloadPage, + } = useMonitorList(); + + const { errorSummaries, loading: errorsLoading } = useInlineErrors({ + onlyInvalidMonitors: false, + sortField: pageState.sortField, + sortOrder: pageState.sortOrder, + }); + + if (!isEnabled && syntheticsMonitors.length === 0) { + return null; + } + + return ( + <> + + + + ); +}; diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_list_table/actions.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_list_table/actions.tsx new file mode 100644 index 0000000000000..9d92c584592d3 --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_list_table/actions.tsx @@ -0,0 +1,184 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React, { useContext, useEffect, useState } from 'react'; +import { EuiThemeComputed } from '@elastic/eui/src/services/theme/types'; +import { toMountPoint } from '@kbn/kibana-react-plugin/public'; +import { FETCH_STATUS, useFetcher } from '@kbn/observability-plugin/public'; +import { + EuiContextMenuPanel, + EuiContextMenuItem, + EuiPopover, + EuiButtonEmpty, + EuiConfirmModal, +} from '@elastic/eui'; +import { kibanaService } from '../../../../../../utils/kibana_service'; +import { fetchDeleteMonitor } from '../../../../state'; +import { SyntheticsSettingsContext } from '../../../../contexts/synthetics_settings_context'; + +import * as labels from './labels'; + +interface Props { + euiTheme: EuiThemeComputed; + id: string; + name: string; + canEditSynthetics: boolean; + reloadPage: () => void; +} + +export const Actions = ({ euiTheme, id, name, reloadPage, canEditSynthetics }: Props) => { + const { basePath } = useContext(SyntheticsSettingsContext); + const [isPopoverOpen, setIsPopoverOpen] = useState(false); + const [isDeleting, setIsDeleting] = useState(false); + const [isDeleteModalVisible, setIsDeleteModalVisible] = useState(false); + + const { status: monitorDeleteStatus } = useFetcher(() => { + if (isDeleting) { + return fetchDeleteMonitor({ id }); + } + }, [id, isDeleting]); + + // TODO: Move deletion logic to redux state + useEffect(() => { + if ( + monitorDeleteStatus === FETCH_STATUS.SUCCESS || + monitorDeleteStatus === FETCH_STATUS.FAILURE + ) { + setIsDeleting(false); + setIsDeleteModalVisible(false); + } + if (monitorDeleteStatus === FETCH_STATUS.FAILURE) { + kibanaService.toasts.addDanger( + { + title: toMountPoint( +

{labels.MONITOR_DELETE_FAILURE_LABEL}

+ ), + }, + { toastLifeTimeMs: 3000 } + ); + } else if (monitorDeleteStatus === FETCH_STATUS.SUCCESS) { + reloadPage(); + kibanaService.toasts.addSuccess( + { + title: toMountPoint( +

{labels.MONITOR_DELETE_SUCCESS_LABEL}

+ ), + }, + { toastLifeTimeMs: 3000 } + ); + } + }, [setIsDeleting, reloadPage, monitorDeleteStatus]); + + const openPopover = () => { + setIsPopoverOpen(true); + }; + + const closePopover = () => { + setIsPopoverOpen(false); + }; + + const handleDeleteMonitor = () => { + setIsDeleteModalVisible(true); + closePopover(); + }; + + const handleConfirmDelete = () => { + setIsDeleting(true); + }; + + const menuButton = ( + + ); + + /* + TODO: Implement duplication functionality + const duplicateMenuItem = ( + + {labels.DUPLICATE_LABEL} + + ); + */ + + /* + TODO: See if disable enabled is needed as an action menu item + const disableEnableMenuItem = ( + isDisabled ? ( + + {labels.ENABLE_LABEL} + + ) : ( + + {labels.DISABLE_LABEL} + + ) + ); + */ + + const menuItems = [ + + {labels.EDIT_LABEL} + , + + {labels.DELETE_LABEL} + , + ]; + + return ( + <> + + + + + {isDeleteModalVisible ? ( + setIsDeleteModalVisible(false)} + onConfirm={handleConfirmDelete} + cancelButtonText={labels.NO_LABEL} + confirmButtonText={labels.YES_LABEL} + buttonColor="danger" + defaultFocusedButton="confirm" + isLoading={isDeleting} + > +

{labels.DELETE_DESCRIPTION_LABEL}

+ + ) : null} + + ); +}; diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_list_table/columns.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_list_table/columns.tsx new file mode 100644 index 0000000000000..ece118812c0fb --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_list_table/columns.tsx @@ -0,0 +1,157 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { EuiBadge, EuiBasicTableColumn, EuiLink, EuiIcon, EuiThemeComputed } from '@elastic/eui'; +import { i18n } from '@kbn/i18n'; +import { FormattedMessage } from '@kbn/i18n-react'; +import moment from 'moment'; +import React from 'react'; + +import { + ConfigKey, + DataStream, + EncryptedSyntheticsSavedMonitor, + Ping, + ServiceLocations, + SyntheticsMonitorSchedule, +} from '../../../../../../../common/runtime_types'; + +import { getFrequencyLabel } from './labels'; +import { Actions } from './actions'; +import { MonitorEnabled } from './monitor_enabled'; +import { MonitorLocations } from './monitor_locations'; + +export function getMonitorListColumns({ + basePath, + euiTheme, + errorSummaries, + errorSummariesById, + canEditSynthetics, + reloadPage, + syntheticsMonitors, +}: { + basePath: string; + euiTheme: EuiThemeComputed; + errorSummaries?: Ping[]; + errorSummariesById: Map; + canEditSynthetics: boolean; + syntheticsMonitors: EncryptedSyntheticsSavedMonitor[]; + reloadPage: () => void; +}) { + const getIsMonitorUnHealthy = (monitor: EncryptedSyntheticsSavedMonitor) => { + const errorSummary = errorSummariesById.get(monitor.id); + + if (errorSummary) { + return moment(monitor.updated_at).isBefore(moment(errorSummary.timestamp)); + } + + return false; + }; + + return [ + { + align: 'left' as const, + field: ConfigKey.NAME as string, + name: i18n.translate('xpack.synthetics.management.monitorList.monitorName', { + defaultMessage: 'Monitor name', + }), + sortable: true, + render: (name: string, { id }: EncryptedSyntheticsSavedMonitor) => ( + {name} + ), + }, + { + align: 'left' as const, + field: 'id', + name: i18n.translate('xpack.synthetics.management.monitorList.monitorStatus', { + defaultMessage: 'Status', + }), + sortable: false, + render: (_: string, monitor: EncryptedSyntheticsSavedMonitor) => { + const isMonitorHealthy = !getIsMonitorUnHealthy(monitor); + + return ( + <> + + {isMonitorHealthy ? ( + + ) : ( + + )} + + ); + }, + }, + { + align: 'left' as const, + field: ConfigKey.MONITOR_TYPE, + name: i18n.translate('xpack.synthetics.management.monitorList.monitorType', { + defaultMessage: 'Type', + }), + sortable: true, + render: (monitorType: DataStream) => ( + {monitorType === DataStream.BROWSER ? 'Browser' : 'Ping'} + ), + }, + { + align: 'left' as const, + field: ConfigKey.LOCATIONS, + name: i18n.translate('xpack.synthetics.management.monitorList.locations', { + defaultMessage: 'Locations', + }), + render: (locations: ServiceLocations) => + locations ? : null, + }, + { + align: 'left' as const, + field: ConfigKey.SCHEDULE, + name: i18n.translate('xpack.synthetics.management.monitorList.frequency', { + defaultMessage: 'Frequency', + }), + render: (schedule: SyntheticsMonitorSchedule) => getFrequencyLabel(schedule), + }, + { + align: 'left' as const, + field: ConfigKey.ENABLED as string, + name: i18n.translate('xpack.synthetics.management.monitorList.enabled', { + defaultMessage: 'Enabled', + }), + render: (_enabled: boolean, monitor: EncryptedSyntheticsSavedMonitor) => ( + + ), + }, + { + align: 'right' as const, + name: i18n.translate('xpack.synthetics.management.monitorList.actions', { + defaultMessage: 'Actions', + }), + render: (fields: EncryptedSyntheticsSavedMonitor) => ( + + ), + }, + ] as Array>; +} diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_list_table/labels.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_list_table/labels.tsx new file mode 100644 index 0000000000000..fd910f512caa4 --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_list_table/labels.tsx @@ -0,0 +1,209 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; +import { EuiI18nNumber, EuiText } from '@elastic/eui'; +import { i18n } from '@kbn/i18n'; +import { FormattedMessage } from '@kbn/i18n-react'; + +import { ScheduleUnit, SyntheticsMonitorSchedule } from '../../../../../../../common/runtime_types'; + +export const NO_MONITOR_ITEM_SELECTED = i18n.translate( + 'xpack.synthetics.management.monitorList.noItemForSelectedFiltersMessage', + { + defaultMessage: 'No monitors found for selected filter criteria', + description: + 'This message is shown if there are no monitors in the table and some filter or search criteria exists', + } +); + +export const LOADING = i18n.translate('xpack.synthetics.management.monitorList.loading', { + defaultMessage: 'Loading...', + description: 'Shown when the monitor list is waiting for a server response', +}); + +export const NO_DATA_MESSAGE = i18n.translate( + 'xpack.synthetics.management.monitorList.noItemMessage', + { + defaultMessage: 'No monitors found', + description: 'This message is shown if the monitors table is rendered but has no items.', + } +); + +export const EXPAND_LOCATIONS_LABEL = i18n.translate( + 'xpack.synthetics.management.monitorList.locations.expand', + { + defaultMessage: 'Click to view remaining locations', + } +); + +export const EXPAND_TAGS_LABEL = i18n.translate( + 'xpack.synthetics.management.monitorList.tags.expand', + { + defaultMessage: 'Click to view remaining tags', + } +); + +export const EDIT_LABEL = i18n.translate('xpack.synthetics.management.editLabel', { + defaultMessage: 'Edit', +}); + +export const DUPLICATE_LABEL = i18n.translate('xpack.synthetics.management.duplicateLabel', { + defaultMessage: 'Duplicate', +}); + +export const DISABLE_LABEL = i18n.translate('xpack.synthetics.management.disableLabel', { + defaultMessage: 'Disable', +}); + +export const ENABLE_LABEL = i18n.translate('xpack.synthetics.management.enableLabel', { + defaultMessage: 'Enable', +}); + +export const DELETE_LABEL = i18n.translate('xpack.synthetics.management.deleteLabel', { + defaultMessage: 'Delete', +}); + +export const DELETE_DESCRIPTION_LABEL = i18n.translate( + 'xpack.synthetics.management.confirmDescriptionLabel', + { + defaultMessage: + 'This action will delete the monitor but keep any data collected. This action cannot be undone.', + } +); + +export const YES_LABEL = i18n.translate('xpack.synthetics.management.yesLabel', { + defaultMessage: 'Delete', +}); + +export const NO_LABEL = i18n.translate('xpack.synthetics.management.noLabel', { + defaultMessage: 'Cancel', +}); + +export const DELETE_MONITOR_LABEL = i18n.translate( + 'xpack.synthetics.management.deleteMonitorLabel', + { + defaultMessage: 'Delete monitor', + } +); + +export const MONITOR_DELETE_SUCCESS_LABEL = i18n.translate( + 'xpack.synthetics.management.monitorDeleteSuccessMessage', + { + defaultMessage: 'Monitor deleted successfully.', + } +); + +export const MONITOR_DELETE_FAILURE_LABEL = i18n.translate( + 'xpack.synthetics.management.monitorDeleteFailureMessage', + { + defaultMessage: 'Monitor was unable to be deleted. Please try again later.', + } +); + +export const MONITOR_DELETE_LOADING_LABEL = i18n.translate( + 'xpack.synthetics.management.monitorDeleteLoadingMessage', + { + defaultMessage: 'Deleting monitor...', + } +); + +export const getRecordRangeLabel = ({ + rangeStart, + rangeEnd, + total, +}: { + rangeStart: number; + rangeEnd: number; + total: number; +}) => { + // If total is less than the end range, use total as end range. + const availableEndRange = Math.min(rangeEnd, total); + + return ( + + - + + ), + total: , + monitorsLabel: ( + + {i18n.translate('xpack.synthetics.management.monitorList.recordRangeLabel', { + defaultMessage: '{monitorCount, plural, one {Monitor} other {Monitors}}', + values: { + monitorCount: total, + }, + })} + + ), + }} + /> + ); +}; + +export const getFrequencyLabel = (schedule: SyntheticsMonitorSchedule) => { + return schedule.unit === ScheduleUnit.SECONDS ? ( + + {i18n.translate('xpack.synthetics.management.monitorList.frequencyInSeconds', { + description: 'Monitor frequency in seconds', + defaultMessage: + '{countSeconds, number} {countSeconds, plural, one {second} other {seconds}}', + values: { + countSeconds: Number(schedule.number), + }, + })} + + ) : ( + + {i18n.translate('xpack.synthetics.management.monitorList.frequencyInMinutes', { + description: 'Monitor frequency in minutes', + defaultMessage: + '{countMinutes, number} {countMinutes, plural, one {minute} other {minutes}}', + values: { + countMinutes: Number(schedule.number), + }, + })} + + ); +}; + +export const ENABLE_MONITOR_LABEL = i18n.translate( + 'xpack.synthetics.management.enableMonitorLabel', + { + defaultMessage: 'Enable monitor', + } +); + +export const DISABLE_MONITOR_LABEL = i18n.translate( + 'xpack.synthetics.management.disableMonitorLabel', + { + defaultMessage: 'Disable monitor', + } +); + +export const getMonitorEnabledSuccessLabel = (name: string) => + i18n.translate('xpack.synthetics.management.monitorEnabledSuccessMessage', { + defaultMessage: 'Monitor {name} enabled successfully.', + values: { name }, + }); + +export const getMonitorDisabledSuccessLabel = (name: string) => + i18n.translate('xpack.synthetics.management.monitorDisabledSuccessMessage', { + defaultMessage: 'Monitor {name} disabled successfully.', + values: { name }, + }); + +export const getMonitorEnabledUpdateFailureMessage = (name: string) => + i18n.translate('xpack.synthetics.management.monitorEnabledUpdateFailureMessage', { + defaultMessage: 'Unable to update monitor {name}.', + values: { name }, + }); diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_list_table/monitor_enabled.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_list_table/monitor_enabled.tsx new file mode 100644 index 0000000000000..e98ca2a466f0d --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_list_table/monitor_enabled.tsx @@ -0,0 +1,87 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { EuiSwitch, EuiSwitchEvent, EuiLoadingSpinner } from '@elastic/eui'; +import React, { useEffect, useState } from 'react'; +import { useKibana } from '@kbn/kibana-react-plugin/public'; +import { FETCH_STATUS, useFetcher } from '@kbn/observability-plugin/public'; + +import { ConfigKey, EncryptedSyntheticsMonitor } from '../../../../../../../common/runtime_types'; +import { fetchUpsertMonitor } from '../../../../state'; + +import * as labels from './labels'; + +interface Props { + id: string; + monitor: EncryptedSyntheticsMonitor; + reloadPage: () => void; + isDisabled?: boolean; +} + +export const MonitorEnabled = ({ id, monitor, reloadPage, isDisabled }: Props) => { + const [isEnabled, setIsEnabled] = useState(null); + + const { notifications } = useKibana(); + + const { status } = useFetcher(() => { + if (isEnabled !== null) { + return fetchUpsertMonitor({ id, monitor: { ...monitor, [ConfigKey.ENABLED]: isEnabled } }); + } + }, [isEnabled]); + + useEffect(() => { + if (status === FETCH_STATUS.FAILURE) { + notifications.toasts.danger({ + title: ( +

+ {labels.getMonitorEnabledUpdateFailureMessage(monitor[ConfigKey.NAME])} +

+ ), + toastLifeTimeMs: 3000, + }); + setIsEnabled(null); + } else if (status === FETCH_STATUS.SUCCESS) { + notifications.toasts.success({ + title: ( +

+ {isEnabled + ? labels.getMonitorEnabledSuccessLabel(monitor[ConfigKey.NAME]) + : labels.getMonitorDisabledSuccessLabel(monitor[ConfigKey.NAME])} +

+ ), + toastLifeTimeMs: 3000, + }); + reloadPage(); + } + }, [status]); // eslint-disable-line react-hooks/exhaustive-deps + + const enabled = isEnabled ?? monitor[ConfigKey.ENABLED]; + const isLoading = status === FETCH_STATUS.LOADING; + + const handleEnabledChange = (event: EuiSwitchEvent) => { + const checked = event.target.checked; + setIsEnabled(checked); + }; + + return ( + <> + {isLoading ? ( + + ) : ( + + )} + + ); +}; diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_list_table/monitor_list.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_list_table/monitor_list.tsx new file mode 100644 index 0000000000000..f692e84354666 --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_list_table/monitor_list.tsx @@ -0,0 +1,139 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React, { useCallback, useContext, useMemo } from 'react'; +import { + Criteria, + EuiBasicTable, + EuiTableSortingType, + EuiPanel, + EuiSpacer, + useEuiTheme, +} from '@elastic/eui'; +import { i18n } from '@kbn/i18n'; +import { IHttpSerializedFetchError } from '../../../../state/utils/http_error'; +import { MonitorListPageState } from '../../../../state'; +import { useCanEditSynthetics } from '../../../../../../hooks/use_capabilities'; +import { + ConfigKey, + Ping, + EncryptedSyntheticsSavedMonitor, +} from '../../../../../../../common/runtime_types'; +import { SyntheticsSettingsContext } from '../../../../contexts/synthetics_settings_context'; +import { useBreakpoints } from '../../../../hooks'; +import { getMonitorListColumns } from './columns'; +import * as labels from './labels'; + +interface Props { + pageState: MonitorListPageState; + syntheticsMonitors: EncryptedSyntheticsSavedMonitor[]; + error: IHttpSerializedFetchError | null; + loading: boolean; + loadPage: (state: MonitorListPageState) => void; + reloadPage: () => void; + errorSummaries?: Ping[]; +} + +export const MonitorList = ({ + pageState: { pageIndex, pageSize, sortField, sortOrder }, + syntheticsMonitors, + error, + loading, + loadPage, + reloadPage, + errorSummaries, +}: Props) => { + const { basePath } = useContext(SyntheticsSettingsContext); + const isXl = useBreakpoints().up('xl'); + const canEditSynthetics = useCanEditSynthetics(); + const { euiTheme } = useEuiTheme(); + + const errorSummariesById = useMemo( + () => + (errorSummaries ?? []).reduce((acc, cur) => { + if (cur.config_id) { + acc.set(cur.config_id, cur); + } + return acc; + }, new Map()), + [errorSummaries] + ); + + const handleOnChange = useCallback( + ({ + page = { index: 0, size: 10 }, + sort = { field: ConfigKey.NAME, direction: 'asc' }, + }: Criteria) => { + const { index, size } = page; + const { field, direction } = sort; + + loadPage({ + pageIndex: index, + pageSize: size, + sortField: `${field}.keyword`, + sortOrder: direction, + }); + }, + [loadPage] + ); + + const pagination = { + pageIndex: pageIndex - 1, // page index for EuiBasicTable is base 0 + pageSize, + totalItemCount: syntheticsMonitors.length || 0, + pageSizeOptions: [5, 10, 25, 50, 100], + }; + + const sorting: EuiTableSortingType = { + sort: { + field: sortField.replace('.keyword', '') as keyof EncryptedSyntheticsSavedMonitor, + direction: sortOrder, + }, + }; + + const recordRangeLabel = labels.getRecordRangeLabel({ + rangeStart: pageSize * pageIndex + 1, + rangeEnd: pageSize * pageIndex + pageSize, + total: syntheticsMonitors.length, + }); + + const columns = getMonitorListColumns({ + basePath, + euiTheme, + errorSummaries, + errorSummariesById, + canEditSynthetics, + syntheticsMonitors, + reloadPage, + }); + + return ( + + + {recordRangeLabel} + +
+ + + ); +}; diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_list_table/monitor_locations.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_list_table/monitor_locations.tsx new file mode 100644 index 0000000000000..fc9b014b18481 --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_list_table/monitor_locations.tsx @@ -0,0 +1,51 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React, { useState } from 'react'; +import { EuiBadge, EuiBadgeGroup } from '@elastic/eui'; +import { ServiceLocations, ServiceLocation } from '../../../../../../../common/runtime_types'; +import { useLocations } from '../../../../hooks/use_locations'; +import { EXPAND_LOCATIONS_LABEL } from './labels'; + +interface Props { + locations: ServiceLocations; +} + +const INITIAL_LIMIT = 3; + +export const MonitorLocations = ({ locations }: Props) => { + const { locations: allLocations } = useLocations(); + const [toDisplay, setToDisplay] = useState(INITIAL_LIMIT); + + const locationsToDisplay = locations.slice(0, toDisplay); + + return ( + + {locationsToDisplay.map((location: ServiceLocation) => ( + + {`${allLocations.find((loc) => loc.id === location.id)?.label}`} + + ))} + {locations.length > toDisplay && ( + { + setToDisplay(locations.length); + }} + onClickAriaLabel={EXPAND_LOCATIONS_LABEL} + > + +{locations.length - INITIAL_LIMIT} + + )} + + ); +}; diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_list_table/tags.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_list_table/tags.tsx new file mode 100644 index 0000000000000..b50d97fcecefa --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/monitor_list_table/tags.tsx @@ -0,0 +1,47 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React, { useState } from 'react'; +import { EuiBadge, EuiBadgeGroup } from '@elastic/eui'; +import { EXPAND_TAGS_LABEL } from './labels'; + +interface Props { + tags: string[]; +} + +export const MonitorTags = ({ tags }: Props) => { + const [toDisplay, setToDisplay] = useState(5); + + const tagsToDisplay = tags.slice(0, toDisplay); + + return ( + + {tagsToDisplay.map((tag) => ( + // filtering only makes sense in monitor list, where we have summary + + {tag} + + ))} + {tags.length > toDisplay && ( + { + setToDisplay(tags.length); + }} + onClickAriaLabel={EXPAND_TAGS_LABEL} + > + +{tags.length - 5} + + )} + + ); +}; diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/page_header/monitors_page_header.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/page_header/monitors_page_header.tsx new file mode 100644 index 0000000000000..8dbeaa74d618d --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/page_header/monitors_page_header.tsx @@ -0,0 +1,50 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React, { useContext } from 'react'; +import { FormattedMessage } from '@kbn/i18n-react'; +import { EuiBetaBadge, EuiButton, EuiFlexGroup, EuiFlexItem } from '@elastic/eui'; + +import { MONITOR_ADD_ROUTE } from '../../../../../../../common/constants'; + +import { SyntheticsSettingsContext } from '../../../../contexts/synthetics_settings_context'; + +import { BETA_TOOLTIP_MESSAGE } from '../labels'; + +export const MonitorsPageHeader = () => { + const { basePath } = useContext(SyntheticsSettingsContext); + + return ( + + + + + +
+ +
+ + + + + + + + ); +}; diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitor_management/show_sync_errors.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/show_sync_errors.tsx similarity index 98% rename from x-pack/plugins/synthetics/public/apps/synthetics/components/monitor_management/show_sync_errors.tsx rename to x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/show_sync_errors.tsx index 2d4412b71f230..ee048593e5de1 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitor_management/show_sync_errors.tsx +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/show_sync_errors.tsx @@ -9,7 +9,7 @@ import React from 'react'; import { i18n } from '@kbn/i18n'; import { toMountPoint } from '@kbn/kibana-react-plugin/public'; import { IToasts } from '@kbn/core/public'; -import { ServiceLocationErrors, ServiceLocations } from '../../../../../common/runtime_types'; +import { ServiceLocationErrors, ServiceLocations } from '../../../../../../common/runtime_types'; export const showSyncErrors = ( errors: ServiceLocationErrors, diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/synthetics_enablement/labels.ts b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/synthetics_enablement/labels.ts new file mode 100644 index 0000000000000..ad7220e328f3b --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/synthetics_enablement/labels.ts @@ -0,0 +1,87 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { i18n } from '@kbn/i18n'; + +export const SYNTHETICS_ENABLE_FAILURE = i18n.translate( + 'xpack.synthetics.monitorManagement.syntheticsEnabledFailure', + { + defaultMessage: 'Monitor Management was not able to be enabled. Please contact support.', + } +); + +export const SYNTHETICS_DISABLE_FAILURE = i18n.translate( + 'xpack.synthetics.monitorManagement.syntheticsDisabledFailure', + { + defaultMessage: 'Monitor Management was not able to be disabled. Please contact support.', + } +); + +export const SYNTHETICS_ENABLE_SUCCESS = i18n.translate( + 'xpack.synthetics.monitorManagement.syntheticsEnableSuccess', + { + defaultMessage: 'Monitor Management enabled successfully.', + } +); + +export const SYNTHETICS_DISABLE_SUCCESS = i18n.translate( + 'xpack.synthetics.monitorManagement.syntheticsDisabledSuccess', + { + defaultMessage: 'Monitor Management disabled successfully.', + } +); + +export const MONITOR_MANAGEMENT_ENABLEMENT_LABEL = i18n.translate( + 'xpack.synthetics.monitorManagement.emptyState.enablement.enabled.title', + { + defaultMessage: 'Enable Monitor Management', + } +); + +export const MONITOR_MANAGEMENT_DISABLED_LABEL = i18n.translate( + 'xpack.synthetics.monitorManagement.emptyState.enablement.disabled.title', + { + defaultMessage: 'Monitor Management is disabled', + } +); + +export const MONITOR_MANAGEMENT_ENABLEMENT_MESSAGE = i18n.translate( + 'xpack.synthetics.monitorManagement.emptyState.enablement', + { + defaultMessage: + 'Enable Monitor Management to run lightweight and real-browser monitors from hosted testing locations around the world. Enabling Monitor Management will generate an API key to allow the Synthetics Service to write back to your Elasticsearch cluster.', + } +); + +export const MONITOR_MANAGEMENT_DISABLED_MESSAGE = i18n.translate( + 'xpack.synthetics.monitorManagement.emptyState.enablement.disabledDescription', + { + defaultMessage: + 'Monitor Management is currently disabled. Monitor Management allows you to run lightweight and real-browser monitors from hosted testing locations around the world. To enable Monitor Management, please contact an administrator.', + } +); + +export const MONITOR_MANAGEMENT_ENABLEMENT_BTN_LABEL = i18n.translate( + 'xpack.synthetics.monitorManagement.emptyState.enablement.title', + { + defaultMessage: 'Enable', + } +); + +export const DOCS_LABEL = i18n.translate( + 'xpack.synthetics.monitorManagement.emptyState.enablement.doc', + { + defaultMessage: 'Read the docs', + } +); + +export const LEARN_MORE_LABEL = i18n.translate( + 'xpack.synthetics.monitorManagement.emptyState.enablement.learnMore', + { + defaultMessage: 'Want to learn more?', + } +); diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/synthetics_enablement/synthetics_enablement.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/synthetics_enablement/synthetics_enablement.tsx new file mode 100644 index 0000000000000..643764f0d3f97 --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/management/synthetics_enablement/synthetics_enablement.tsx @@ -0,0 +1,102 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React, { useState, useEffect, useRef } from 'react'; +import { EuiEmptyPrompt, EuiButton, EuiTitle, EuiLink } from '@elastic/eui'; +import { useEnablement } from '../../../../hooks/use_enablement'; +import { kibanaService } from '../../../../../../utils/kibana_service'; +import * as labels from './labels'; + +export const EnablementEmptyState = () => { + const { error, enablement, enableSynthetics, loading } = useEnablement(); + const [shouldFocusEnablementButton, setShouldFocusEnablementButton] = useState(false); + const [isEnabling, setIsEnabling] = useState(false); + const { isEnabled, canEnable } = enablement; + const isEnabledRef = useRef(isEnabled); + const buttonRef = useRef(null); + + useEffect(() => { + if (!isEnabled && isEnabledRef.current === true) { + /* shift focus to enable button when enable toggle disappears. Prevent + * focus loss on the page */ + setShouldFocusEnablementButton(true); + } + isEnabledRef.current = Boolean(isEnabled); + }, [isEnabled]); + + useEffect(() => { + if (isEnabling && isEnabled) { + setIsEnabling(false); + kibanaService.toasts.addSuccess({ + title: labels.SYNTHETICS_ENABLE_SUCCESS, + toastLifeTimeMs: 3000, + }); + } else if (isEnabling && error) { + setIsEnabling(false); + kibanaService.toasts.addSuccess({ + title: labels.SYNTHETICS_DISABLE_SUCCESS, + toastLifeTimeMs: 3000, + }); + } + }, [isEnabled, isEnabling, error]); + + const handleEnableSynthetics = () => { + enableSynthetics(); + setIsEnabling(true); + }; + + useEffect(() => { + if (shouldFocusEnablementButton) { + buttonRef.current?.focus(); + } + }, [shouldFocusEnablementButton]); + + return !isEnabled && !loading ? ( + + {canEnable + ? labels.MONITOR_MANAGEMENT_ENABLEMENT_LABEL + : labels.MONITOR_MANAGEMENT_DISABLED_LABEL} + + } + body={ +

+ {canEnable + ? labels.MONITOR_MANAGEMENT_ENABLEMENT_MESSAGE + : labels.MONITOR_MANAGEMENT_DISABLED_MESSAGE} +

+ } + actions={ + canEnable ? ( + + {labels.MONITOR_MANAGEMENT_ENABLEMENT_BTN_LABEL} + + ) : null + } + footer={ + <> + +

{labels.LEARN_MORE_LABEL}

+ + + {labels.DOCS_LABEL} + + + } + /> + ) : null; +}; diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/monitor_page.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/monitor_page.tsx new file mode 100644 index 0000000000000..41d5c611e97e4 --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/monitor_page.tsx @@ -0,0 +1,88 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; +import { Redirect } from 'react-router-dom'; +import { EuiButton, EuiCallOut, EuiLink, EuiSpacer } from '@elastic/eui'; +import { useTrackPageview } from '@kbn/observability-plugin/public'; + +import { GETTING_STARTED_ROUTE } from '../../../../../common/constants'; + +import { useLocations } from '../../hooks/use_locations'; + +import { Loader } from './management/loader/loader'; +import { useEnablement } from '../../hooks/use_enablement'; + +import { EnablementEmptyState } from './management/synthetics_enablement/synthetics_enablement'; +import { MonitorListContainer } from './management/monitor_list_container'; +import { useMonitorListBreadcrumbs } from './hooks/use_breadcrumbs'; +import { useMonitorList } from './hooks/use_monitor_list'; +import * as labels from './management/labels'; + +export const MonitorPage: React.FC = () => { + useTrackPageview({ app: 'synthetics', path: 'monitors' }); + useTrackPageview({ app: 'synthetics', path: 'monitors', delay: 15000 }); + + useMonitorListBreadcrumbs(); + + const { syntheticsMonitors, loading: monitorsLoading, isDataQueried } = useMonitorList(); + + const { + error: enablementError, + enablement: { isEnabled, canEnable }, + loading: enablementLoading, + enableSynthetics, + } = useEnablement(); + + const { loading: locationsLoading } = useLocations(); + const showEmptyState = isEnabled !== undefined && syntheticsMonitors.length === 0; + + if (isEnabled && !monitorsLoading && syntheticsMonitors.length === 0 && isDataQueried) { + return ; + } + + return ( + <> + + {!isEnabled && syntheticsMonitors.length > 0 ? ( + <> + +

{labels.CALLOUT_MANAGEMENT_DESCRIPTION}

+ {canEnable ? ( + { + enableSynthetics(); + }} + > + {labels.SYNTHETICS_ENABLE_LABEL} + + ) : ( +

+ {labels.CALLOUT_MANAGEMENT_CONTACT_ADMIN}{' '} + + {labels.LEARN_MORE_LABEL} + +

+ )} + + + + ) : null} + + + {showEmptyState && } + + ); +}; diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/overview/empty_state/empty_state_error.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/overview/empty_state/empty_state_error.tsx similarity index 100% rename from x-pack/plugins/synthetics/public/apps/synthetics/components/overview/empty_state/empty_state_error.tsx rename to x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/overview/empty_state/empty_state_error.tsx index 3f2150169e2df..f842518af6ec9 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/components/overview/empty_state/empty_state_error.tsx +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/overview/empty_state/empty_state_error.tsx @@ -5,9 +5,9 @@ * 2.0. */ +import React, { Fragment } from 'react'; import { EuiEmptyPrompt, EuiPanel, EuiTitle, EuiFlexGroup, EuiFlexItem } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; -import React, { Fragment } from 'react'; import { IHttpFetchError, ResponseErrorBody } from '@kbn/core/public'; interface EmptyStateErrorProps { diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/overview/empty_state/empty_state_loading.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/overview/empty_state/empty_state_loading.tsx similarity index 100% rename from x-pack/plugins/synthetics/public/apps/synthetics/components/overview/empty_state/empty_state_loading.tsx rename to x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/overview/empty_state/empty_state_loading.tsx index 0f71c9bafa962..ca14e3751c949 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/components/overview/empty_state/empty_state_loading.tsx +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/overview/empty_state/empty_state_loading.tsx @@ -5,9 +5,9 @@ * 2.0. */ +import React, { Fragment } from 'react'; import { EuiEmptyPrompt, EuiLoadingSpinner, EuiSpacer, EuiTitle } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; -import React, { Fragment } from 'react'; export const EmptyStateLoading = () => ( { diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/overview/overview_page.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/overview/overview_page.tsx new file mode 100644 index 0000000000000..134d8c024555e --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/overview/overview_page.tsx @@ -0,0 +1,35 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; +import { useTrackPageview } from '@kbn/observability-plugin/public'; +import { Redirect } from 'react-router-dom'; +import { useEnablement } from '../../../hooks'; + +import { MONITORS_ROUTE, GETTING_STARTED_ROUTE } from '../../../../../../common/constants'; + +import { useMonitorList } from '../hooks/use_monitor_list'; +import { useOverviewBreadcrumbs } from './use_breadcrumbs'; + +export const OverviewPage: React.FC = () => { + useTrackPageview({ app: 'synthetics', path: 'overview' }); + useTrackPageview({ app: 'synthetics', path: 'overview', delay: 15000 }); + useOverviewBreadcrumbs(); + + const { + enablement: { isEnabled }, + loading: enablementLoading, + } = useEnablement(); + + const { syntheticsMonitors, loading: monitorsLoading } = useMonitorList(); + + if (!enablementLoading && isEnabled && !monitorsLoading && syntheticsMonitors.length === 0) { + return ; + } else { + return ; + } +}; diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/overview/use_breadcrumbs.ts b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/overview/use_breadcrumbs.ts similarity index 85% rename from x-pack/plugins/synthetics/public/apps/synthetics/components/overview/use_breadcrumbs.ts rename to x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/overview/use_breadcrumbs.ts index d33a0fd3c20cc..9f0ab7d740ec5 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/components/overview/use_breadcrumbs.ts +++ b/x-pack/plugins/synthetics/public/apps/synthetics/components/monitors_page/overview/use_breadcrumbs.ts @@ -6,8 +6,8 @@ */ import { i18n } from '@kbn/i18n'; import { useKibana } from '@kbn/kibana-react-plugin/public'; -import { useBreadcrumbs } from '../../hooks/use_breadcrumbs'; -import { PLUGIN } from '../../../../../common/constants/plugin'; +import { useBreadcrumbs } from '../../../hooks/use_breadcrumbs'; +import { PLUGIN } from '../../../../../../common/constants/plugin'; export const useOverviewBreadcrumbs = () => { const kibana = useKibana(); diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/components/overview/overview_page.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/components/overview/overview_page.tsx deleted file mode 100644 index 9e229308a402e..0000000000000 --- a/x-pack/plugins/synthetics/public/apps/synthetics/components/overview/overview_page.tsx +++ /dev/null @@ -1,50 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { EuiFlexGroup, EuiFlexItem, EuiLink } from '@elastic/eui'; -import React, { useEffect } from 'react'; -import { useTrackPageview } from '@kbn/observability-plugin/public'; -import { useDispatch, useSelector } from 'react-redux'; -import { Redirect } from 'react-router-dom'; -import { monitorListSelector } from '../../state/monitor_management/selectors'; -import { GETTING_STARTED_ROUTE } from '../../../../../common/constants'; -import { fetchMonitorListAction } from '../../state/monitor_management/monitor_list'; -import { useSyntheticsSettingsContext } from '../../contexts'; -import { useOverviewBreadcrumbs } from './use_breadcrumbs'; - -export const OverviewPage: React.FC = () => { - useTrackPageview({ app: 'synthetics', path: 'overview' }); - useTrackPageview({ app: 'synthetics', path: 'overview', delay: 15000 }); - useOverviewBreadcrumbs(); - const { basePath } = useSyntheticsSettingsContext(); - - const dispatch = useDispatch(); - - const { total } = useSelector(monitorListSelector); - - useEffect(() => { - dispatch(fetchMonitorListAction.get()); - }, [dispatch]); - - if (total === 0) { - return ; - } - - return ( - - -

This page should show empty state or overview

- - - Monitor Management - - - Add Monitor - - - ); -}; diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/contexts/synthetics_data_view_context.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/contexts/synthetics_data_view_context.tsx index af657abd77540..4ddd22a23cbdb 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/contexts/synthetics_data_view_context.tsx +++ b/x-pack/plugins/synthetics/public/apps/synthetics/contexts/synthetics_data_view_context.tsx @@ -8,7 +8,7 @@ import React, { createContext, useContext } from 'react'; import { useFetcher } from '@kbn/observability-plugin/public'; import { DataViewsPublicPluginStart, DataView } from '@kbn/data-views-plugin/public'; -import { useHasData } from '../components/overview/empty_state/use_has_data'; +import { useHasData } from '../components/monitors_page/overview/empty_state/use_has_data'; export const SyntheticsDataViewContext = createContext({} as DataView); diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/hooks/index.ts b/x-pack/plugins/synthetics/public/apps/synthetics/hooks/index.ts index c3cde2eaffec5..320c41b7ee1f8 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/hooks/index.ts +++ b/x-pack/plugins/synthetics/public/apps/synthetics/hooks/index.ts @@ -9,3 +9,4 @@ export * from './use_url_params'; export * from './use_breadcrumbs'; export * from '../../../hooks/use_breakpoints'; export * from './use_service_allowed'; +export * from './use_enablement'; diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/hooks/use_enablement.ts b/x-pack/plugins/synthetics/public/apps/synthetics/hooks/use_enablement.ts new file mode 100644 index 0000000000000..74a430240b616 --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/hooks/use_enablement.ts @@ -0,0 +1,39 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { useEffect, useCallback } from 'react'; +import { useDispatch, useSelector } from 'react-redux'; +import { + getSyntheticsEnablement, + enableSynthetics, + disableSynthetics, + selectSyntheticsEnablement, +} from '../state'; + +export function useEnablement() { + const dispatch = useDispatch(); + + const { loading, error, enablement } = useSelector(selectSyntheticsEnablement); + + useEffect(() => { + if (!enablement) { + dispatch(getSyntheticsEnablement()); + } + }, [dispatch, enablement]); + + return { + enablement: { + areApiKeysEnabled: enablement?.areApiKeysEnabled, + canEnable: enablement?.canEnable, + isEnabled: enablement?.isEnabled, + }, + error, + loading, + enableSynthetics: useCallback(() => dispatch(enableSynthetics()), [dispatch]), + disableSynthetics: useCallback(() => dispatch(disableSynthetics()), [dispatch]), + }; +} diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/hooks/use_locations.ts b/x-pack/plugins/synthetics/public/apps/synthetics/hooks/use_locations.ts new file mode 100644 index 0000000000000..67b2b9fc1b76b --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/hooks/use_locations.ts @@ -0,0 +1,28 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { useEffect } from 'react'; +import { useDispatch, useSelector } from 'react-redux'; +import { getServiceLocations, selectServiceLocationsState } from '../state'; + +export function useLocations() { + const dispatch = useDispatch(); + const { error, loading, locations, throttling } = useSelector(selectServiceLocationsState); + + useEffect(() => { + if (!locations.length) { + dispatch(getServiceLocations()); + } + }, [dispatch, locations]); + + return { + error, + loading, + locations, + throttling, + }; +} diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/routes.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/routes.tsx index 27f2599fbc102..75f0604e0c246 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/routes.tsx +++ b/x-pack/plugins/synthetics/public/apps/synthetics/routes.tsx @@ -5,8 +5,10 @@ * 2.0. */ +import { EuiThemeComputed } from '@elastic/eui/src/services/theme/types'; import React, { FC, useEffect } from 'react'; -import { EuiPageTemplateProps, EuiFlexGroup, EuiFlexItem } from '@elastic/eui'; +import { tint } from 'polished'; +import { EuiPageTemplateProps, EuiFlexGroup, EuiFlexItem, useEuiTheme } from '@elastic/eui'; import { Route, Switch } from 'react-router-dom'; import { FormattedMessage } from '@kbn/i18n-react'; import { i18n } from '@kbn/i18n'; @@ -14,17 +16,18 @@ import { APP_WRAPPER_CLASS } from '@kbn/core/public'; import { useInspectorContext } from '@kbn/observability-plugin/public'; import { GettingStartedPage } from './components/getting_started/getting_started_page'; import { MonitorAddEditPage } from './components/monitor_add_edit/monitor_add_edit_page'; -import { OverviewPage } from './components/overview/overview_page'; +import { MonitorsPageHeader } from './components/monitors_page/management/page_header/monitors_page_header'; +import { OverviewPage } from './components/monitors_page/overview/overview_page'; import { SyntheticsPageTemplateComponent } from './components/common/pages/synthetics_page_template'; import { NotFoundPage } from './components/common/pages/not_found'; import { ServiceAllowedWrapper } from './components/common/wrappers/service_allowed_wrapper'; import { - GETTING_STARTED_ROUTE, MONITOR_ADD_ROUTE, - MONITOR_MANAGEMENT_ROUTE, + MONITORS_ROUTE, OVERVIEW_ROUTE, + GETTING_STARTED_ROUTE, } from '../../../common/constants'; -import { MonitorManagementPage } from './components/monitor_management/monitor_management_page'; +import { MonitorPage } from './components/monitors_page/monitor_page'; import { apiService } from '../../utils/api_service'; type RouteProps = { @@ -43,7 +46,14 @@ const baseTitle = i18n.translate('xpack.synthetics.routes.baseTitle', { defaultMessage: 'Synthetics - Kibana', }); -const getRoutes = (): RouteProps[] => { +export const MONITOR_MANAGEMENT_LABEL = i18n.translate( + 'xpack.synthetics.monitorManagement.heading', + { + defaultMessage: 'Monitor Management', + } +); + +const getRoutes = (euiTheme: EuiThemeComputed): RouteProps[] => { return [ { title: i18n.translate('xpack.synthetics.gettingStartedRoute.title', { @@ -88,26 +98,37 @@ const getRoutes = (): RouteProps[] => { defaultMessage: 'Monitor Management | {baseTitle}', values: { baseTitle }, }), - path: MONITOR_MANAGEMENT_ROUTE, + path: MONITORS_ROUTE, component: () => ( - - - + <> + + + + ), dataTestSubj: 'syntheticsMonitorManagementPage', + paddingSize: 'none', + pageBodyProps: { + style: { backgroundColor: tint(0.5, euiTheme.colors.body) }, + }, + pageContentProps: { + paddingSize: 'l', + style: { backgroundColor: euiTheme.colors.ghost }, + }, pageHeader: { - pageTitle: ( - - + paddingSize: 'l', + style: { margin: 0 }, + pageTitle: , + tabs: [ + { + label: ( - - - ), - rightSideItems: [ - /* */ + ), + isSelected: true, + }, ], }, }, @@ -145,8 +166,9 @@ const RouteInit: React.FC> = ({ path, title } }; export const PageRouter: FC = () => { - const routes = getRoutes(); const { addInspectorRequest } = useInspectorContext(); + const { euiTheme } = useEuiTheme(); + const routes = getRoutes(euiTheme); apiService.addInspectorRequest = addInspectorRequest; @@ -160,7 +182,7 @@ export const PageRouter: FC = () => { dataTestSubj, pageHeader, ...pageTemplateProps - }) => ( + }: RouteProps) => (
diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/state/index.ts b/x-pack/plugins/synthetics/public/apps/synthetics/state/index.ts index 5bc9517d6aa11..af377f27387a3 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/state/index.ts +++ b/x-pack/plugins/synthetics/public/apps/synthetics/state/index.ts @@ -8,6 +8,10 @@ export { store, storage } from './store'; export type { SyntheticsAppState as AppState } from './root_reducer'; +export type { IHttpSerializedFetchError } from './utils/http_error'; export * from './ui'; export * from './index_status'; +export * from './synthetics_enablement'; +export * from './service_locations'; +export * from './monitor_list'; diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/actions.ts b/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/actions.ts new file mode 100644 index 0000000000000..b9969cca2afc6 --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/actions.ts @@ -0,0 +1,16 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { MonitorManagementListResult } from '../../../../../common/runtime_types'; +import { createAsyncAction } from '../utils/actions'; + +import { MonitorListPageState } from './models'; + +export const fetchMonitorListAction = createAsyncAction< + MonitorListPageState, + MonitorManagementListResult +>('fetchMonitorListAction'); diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_management/api.ts b/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/api.ts similarity index 56% rename from x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_management/api.ts rename to x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/api.ts index 777e72069f6f2..b500a3d8d8688 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_management/api.ts +++ b/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/api.ts @@ -5,53 +5,66 @@ * 2.0. */ -import { ServiceLocationsState } from './service_locations'; -import { apiService } from '../../../../utils/api_service'; +import { API_URLS } from '../../../../../common/constants'; import { EncryptedSyntheticsMonitor, FetchMonitorManagementListQueryArgs, MonitorManagementListResult, MonitorManagementListResultCodec, ServiceLocationErrors, - ServiceLocationsApiResponseCodec, SyntheticsMonitor, - SyntheticsMonitorWithId, } from '../../../../../common/runtime_types'; -import { API_URLS } from '../../../../../common/constants'; - -export const createMonitorAPI = async ({ - monitor, -}: { - monitor: SyntheticsMonitor | EncryptedSyntheticsMonitor; -}): Promise<{ attributes: { errors: ServiceLocationErrors } } | SyntheticsMonitor> => { - return await apiService.post(API_URLS.SYNTHETICS_MONITORS, monitor); -}; +import { apiService } from '../../../../utils/api_service'; -export const updateMonitorAPI = async ({ - monitor, - id, -}: { - monitor: SyntheticsMonitor | EncryptedSyntheticsMonitor; - id: string; -}): Promise<{ attributes: { errors: ServiceLocationErrors } } | SyntheticsMonitorWithId> => { - return await apiService.put(`${API_URLS.SYNTHETICS_MONITORS}/${id}`, monitor); -}; +import { MonitorListPageState } from './models'; -export const fetchServiceLocations = async (): Promise => { - const { throttling, locations } = await apiService.get( - API_URLS.SERVICE_LOCATIONS, - undefined, - ServiceLocationsApiResponseCodec - ); - return { throttling, locations }; -}; +function toMonitorManagementListQueryArgs( + pageState: MonitorListPageState +): FetchMonitorManagementListQueryArgs { + return { + perPage: pageState.pageSize, + page: pageState.pageIndex + 1, + sortOrder: pageState.sortOrder, + sortField: pageState.sortField, + search: '', + searchFields: [], + }; +} export const fetchMonitorManagementList = async ( - params: FetchMonitorManagementListQueryArgs + pageState: MonitorListPageState ): Promise => { + const params = toMonitorManagementListQueryArgs(pageState); + return await apiService.get( API_URLS.SYNTHETICS_MONITORS, params, MonitorManagementListResultCodec ); }; + +export const fetchDeleteMonitor = async ({ id }: { id: string }): Promise => { + return await apiService.delete(`${API_URLS.SYNTHETICS_MONITORS}/${id}`); +}; + +export const fetchUpsertMonitor = async ({ + monitor, + id, +}: { + monitor: SyntheticsMonitor | EncryptedSyntheticsMonitor; + id?: string; +}): Promise<{ attributes: { errors: ServiceLocationErrors } } | SyntheticsMonitor> => { + if (id) { + return await apiService.put(`${API_URLS.SYNTHETICS_MONITORS}/${id}`, monitor); + } else { + return await apiService.post(API_URLS.SYNTHETICS_MONITORS, monitor); + } +}; + +export const fetchCreateMonitor = async ({ + monitor, +}: { + monitor: SyntheticsMonitor | EncryptedSyntheticsMonitor; +}): Promise<{ attributes: { errors: ServiceLocationErrors } } | SyntheticsMonitor> => { + return await apiService.post(API_URLS.SYNTHETICS_MONITORS, monitor); +}; diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_management/effects.ts b/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/effects.ts similarity index 53% rename from x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_management/effects.ts rename to x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/effects.ts index 924fb8baf1da0..e155250eec19b 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_management/effects.ts +++ b/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/effects.ts @@ -6,25 +6,13 @@ */ import { takeLeading } from 'redux-saga/effects'; -import { fetchMonitorListAction } from './monitor_list'; -import { fetchMonitorManagementList, fetchServiceLocations } from './api'; import { fetchEffectFactory } from '../utils/fetch_effect'; -import { fetchServiceLocationsAction } from './service_locations'; - -export function* fetchServiceLocationsEffect() { - yield takeLeading( - String(fetchServiceLocationsAction.get), - fetchEffectFactory( - fetchServiceLocations, - fetchServiceLocationsAction.success, - fetchServiceLocationsAction.fail - ) - ); -} +import { fetchMonitorListAction } from './actions'; +import { fetchMonitorManagementList } from './api'; export function* fetchMonitorListEffect() { yield takeLeading( - String(fetchMonitorListAction.get), + fetchMonitorListAction.get, fetchEffectFactory( fetchMonitorManagementList, fetchMonitorListAction.success, diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/index.ts b/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/index.ts new file mode 100644 index 0000000000000..fbe152f290aa7 --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/index.ts @@ -0,0 +1,56 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { createReducer } from '@reduxjs/toolkit'; + +import { ConfigKey, MonitorManagementListResult } from '../../../../../common/runtime_types'; + +import { IHttpSerializedFetchError, serializeHttpFetchError } from '../utils/http_error'; + +import { MonitorListPageState } from './models'; +import { fetchMonitorListAction } from './actions'; + +export interface MonitorListState { + data: MonitorManagementListResult; + pageState: MonitorListPageState; + loading: boolean; + error: IHttpSerializedFetchError | null; +} + +const initialState: MonitorListState = { + data: { page: 1, perPage: 10, total: null, monitors: [], syncErrors: [] }, + pageState: { + pageIndex: 0, + pageSize: 10, + sortOrder: 'asc', + sortField: `${ConfigKey.NAME}.keyword`, + }, + loading: false, + error: null, +}; + +export const monitorListReducer = createReducer(initialState, (builder) => { + builder + .addCase(fetchMonitorListAction.get, (state, action) => { + state.pageState = action.payload; + state.loading = true; + }) + .addCase(fetchMonitorListAction.success, (state, action) => { + state.loading = false; + state.data = action.payload; + }) + .addCase(fetchMonitorListAction.fail, (state, action) => { + state.loading = false; + state.error = serializeHttpFetchError(action.payload); + }); +}); + +export * from './models'; +export * from './actions'; +export * from './effects'; +export * from './selectors'; +export { fetchDeleteMonitor, fetchUpsertMonitor, fetchCreateMonitor } from './api'; diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/models.ts b/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/models.ts new file mode 100644 index 0000000000000..bfc4272b04a67 --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/models.ts @@ -0,0 +1,20 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { + EncryptedSyntheticsSavedMonitor, + FetchMonitorManagementListQueryArgs, +} from '../../../../../common/runtime_types'; + +export type MonitorListSortField = `${keyof EncryptedSyntheticsSavedMonitor}.keyword`; + +export interface MonitorListPageState { + pageIndex: number; + pageSize: number; + sortField: MonitorListSortField; + sortOrder: NonNullable; +} diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/selectors.ts b/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/selectors.ts new file mode 100644 index 0000000000000..6d92e75977cf6 --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_list/selectors.ts @@ -0,0 +1,22 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { createSelector } from 'reselect'; + +import { EncryptedSyntheticsSavedMonitor } from '../../../../../common/runtime_types'; +import { SyntheticsAppState } from '../root_reducer'; + +export const selectMonitorListState = (state: SyntheticsAppState) => state.monitorList; +export const selectEncryptedSyntheticsSavedMonitors = createSelector( + selectMonitorListState, + (state) => + state.data.monitors.map((monitor) => ({ + ...monitor.attributes, + id: monitor.id, + updated_at: monitor.updated_at, + })) as EncryptedSyntheticsSavedMonitor[] +); diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_management/monitor_list.ts b/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_management/monitor_list.ts deleted file mode 100644 index 2493f9eb173d8..0000000000000 --- a/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_management/monitor_list.ts +++ /dev/null @@ -1,37 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { createReducer } from '@reduxjs/toolkit'; -import { IHttpFetchError } from '@kbn/core/public'; -import { createAsyncAction, Nullable } from '../utils/actions'; -import { MonitorManagementListResult } from '../../../../../common/runtime_types'; - -export const fetchMonitorListAction = createAsyncAction( - 'fetchMonitorListAction' -); - -export const monitorListReducer = createReducer( - { - data: {} as MonitorManagementListResult, - loading: false, - error: null as Nullable, - }, - (builder) => { - builder - .addCase(fetchMonitorListAction.get, (state, action) => { - state.loading = true; - }) - .addCase(fetchMonitorListAction.success, (state, action) => { - state.loading = false; - state.data = action.payload; - }) - .addCase(fetchMonitorListAction.fail, (state, action) => { - state.loading = false; - state.error = action.payload; - }); - } -); diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_management/service_locations.ts b/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_management/service_locations.ts deleted file mode 100644 index 572d00ce3892f..0000000000000 --- a/x-pack/plugins/synthetics/public/apps/synthetics/state/monitor_management/service_locations.ts +++ /dev/null @@ -1,45 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { createReducer, PayloadAction } from '@reduxjs/toolkit'; -import { IHttpFetchError } from '@kbn/core/public'; -import { createAsyncAction, Nullable } from '../utils/actions'; -import { ServiceLocations, ThrottlingOptions } from '../../../../../common/runtime_types'; - -export const fetchServiceLocationsAction = createAsyncAction( - 'fetchServiceLocationsAction' -); - -export interface ServiceLocationsState { - throttling: ThrottlingOptions | undefined; - locations: ServiceLocations; -} - -export const serviceLocationReducer = createReducer( - { - locations: [] as ServiceLocations, - loading: false, - error: null as Nullable, - }, - (builder) => { - builder - .addCase(fetchServiceLocationsAction.get, (state, action) => { - state.loading = true; - }) - .addCase( - fetchServiceLocationsAction.success, - (state, action: PayloadAction) => { - state.loading = false; - state.locations = action.payload.locations; - } - ) - .addCase(fetchServiceLocationsAction.fail, (state, action) => { - state.loading = false; - state.error = action.payload; - }); - } -); diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/state/root_effect.ts b/x-pack/plugins/synthetics/public/apps/synthetics/state/root_effect.ts index 9a66b4e6b9e74..78d26f231fca1 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/state/root_effect.ts +++ b/x-pack/plugins/synthetics/public/apps/synthetics/state/root_effect.ts @@ -6,12 +6,15 @@ */ import { all, fork } from 'redux-saga/effects'; -import { fetchMonitorListEffect, fetchServiceLocationsEffect } from './monitor_management/effects'; import { fetchIndexStatusEffect } from './index_status'; +import { fetchSyntheticsEnablementEffect } from './synthetics_enablement'; +import { fetchMonitorListEffect } from './monitor_list'; +import { fetchServiceLocationsEffect } from './service_locations'; export const rootEffect = function* root(): Generator { yield all([ fork(fetchIndexStatusEffect), + fork(fetchSyntheticsEnablementEffect), fork(fetchServiceLocationsEffect), fork(fetchMonitorListEffect), ]); diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/state/root_reducer.ts b/x-pack/plugins/synthetics/public/apps/synthetics/state/root_reducer.ts index 1c8ed190fd80e..e358b185fbeb3 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/state/root_reducer.ts +++ b/x-pack/plugins/synthetics/public/apps/synthetics/state/root_reducer.ts @@ -7,16 +7,18 @@ import { combineReducers } from '@reduxjs/toolkit'; -import { monitorListReducer } from './monitor_management/monitor_list'; -import { serviceLocationReducer } from './monitor_management/service_locations'; import { uiReducer } from './ui'; import { indexStatusReducer } from './index_status'; +import { syntheticsEnablementReducer } from './synthetics_enablement'; +import { monitorListReducer } from './monitor_list'; +import { serviceLocationsReducer } from './service_locations'; export const rootReducer = combineReducers({ ui: uiReducer, indexStatus: indexStatusReducer, - serviceLocations: serviceLocationReducer, + syntheticsEnablement: syntheticsEnablementReducer, monitorList: monitorListReducer, + serviceLocations: serviceLocationsReducer, }); export type SyntheticsAppState = ReturnType; diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/state/service_locations/actions.ts b/x-pack/plugins/synthetics/public/apps/synthetics/state/service_locations/actions.ts new file mode 100644 index 0000000000000..794e16d0292c5 --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/state/service_locations/actions.ts @@ -0,0 +1,16 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { createAction } from '@reduxjs/toolkit'; +import { ServiceLocations, ThrottlingOptions } from '../../../../../common/runtime_types'; + +export const getServiceLocations = createAction('[SERVICE LOCATIONS] GET'); +export const getServiceLocationsSuccess = createAction<{ + throttling: ThrottlingOptions | undefined; + locations: ServiceLocations; +}>('[SERVICE LOCATIONS] GET SUCCESS'); +export const getServiceLocationsFailure = createAction('[SERVICE LOCATIONS] GET FAILURE'); diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/state/service_locations/api.ts b/x-pack/plugins/synthetics/public/apps/synthetics/state/service_locations/api.ts new file mode 100644 index 0000000000000..3435c06f6cf8e --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/state/service_locations/api.ts @@ -0,0 +1,26 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { API_URLS } from '../../../../../common/constants'; +import { + ServiceLocations, + ServiceLocationsApiResponseCodec, + ThrottlingOptions, +} from '../../../../../common/runtime_types'; +import { apiService } from '../../../../utils/api_service'; + +export const fetchServiceLocations = async (): Promise<{ + throttling: ThrottlingOptions | undefined; + locations: ServiceLocations; +}> => { + const { throttling, locations } = await apiService.get( + API_URLS.SERVICE_LOCATIONS, + undefined, + ServiceLocationsApiResponseCodec + ); + return { throttling, locations }; +}; diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/state/service_locations/effects.ts b/x-pack/plugins/synthetics/public/apps/synthetics/state/service_locations/effects.ts new file mode 100644 index 0000000000000..e72f173af6c86 --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/state/service_locations/effects.ts @@ -0,0 +1,26 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { takeLeading } from 'redux-saga/effects'; +import { + getServiceLocations, + getServiceLocationsFailure, + getServiceLocationsSuccess, +} from './actions'; +import { fetchServiceLocations } from './api'; +import { fetchEffectFactory } from '../utils/fetch_effect'; + +export function* fetchServiceLocationsEffect() { + yield takeLeading( + getServiceLocations, + fetchEffectFactory( + fetchServiceLocations, + getServiceLocationsSuccess, + getServiceLocationsFailure + ) + ); +} diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/state/service_locations/index.ts b/x-pack/plugins/synthetics/public/apps/synthetics/state/service_locations/index.ts new file mode 100644 index 0000000000000..98676baf421a9 --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/state/service_locations/index.ts @@ -0,0 +1,54 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { createReducer } from '@reduxjs/toolkit'; +import { + DEFAULT_THROTTLING, + ServiceLocations, + ThrottlingOptions, +} from '../../../../../common/runtime_types'; + +import { + getServiceLocations, + getServiceLocationsSuccess, + getServiceLocationsFailure, +} from './actions'; + +export interface ServiceLocationsState { + locations: ServiceLocations; + throttling: ThrottlingOptions | null; + loading: boolean; + error: Error | null; +} + +const initialState: ServiceLocationsState = { + locations: [], + throttling: DEFAULT_THROTTLING, + loading: false, + error: null, +}; + +export const serviceLocationsReducer = createReducer(initialState, (builder) => { + builder + .addCase(getServiceLocations, (state) => { + state.loading = true; + }) + .addCase(getServiceLocationsSuccess, (state, action) => { + state.loading = false; + state.error = null; + state.locations = action.payload.locations; + state.throttling = action.payload.throttling || DEFAULT_THROTTLING; + }) + .addCase(getServiceLocationsFailure, (state, action) => { + state.loading = false; + state.error = action.payload; + }); +}); + +export * from './actions'; +export * from './effects'; +export * from './selectors'; diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/state/service_locations/selectors.ts b/x-pack/plugins/synthetics/public/apps/synthetics/state/service_locations/selectors.ts new file mode 100644 index 0000000000000..3ced345c6259e --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/state/service_locations/selectors.ts @@ -0,0 +1,12 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { createSelector } from 'reselect'; +import type { SyntheticsAppState } from '../root_reducer'; + +const getState = (appState: SyntheticsAppState) => appState.serviceLocations; +export const selectServiceLocationsState = createSelector(getState, (state) => state); diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/state/synthetics_enablement/actions.ts b/x-pack/plugins/synthetics/public/apps/synthetics/state/synthetics_enablement/actions.ts new file mode 100644 index 0000000000000..c38fadc0952a6 --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/state/synthetics_enablement/actions.ts @@ -0,0 +1,29 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { createAction } from '@reduxjs/toolkit'; +import { MonitorManagementEnablementResult } from '../../../../../common/runtime_types'; + +export const getSyntheticsEnablement = createAction('[SYNTHETICS_ENABLEMENT] GET'); +export const getSyntheticsEnablementSuccess = createAction( + '[SYNTHETICS_ENABLEMENT] GET SUCCESS' +); +export const getSyntheticsEnablementFailure = createAction( + '[SYNTHETICS_ENABLEMENT] GET FAILURE' +); + +export const disableSynthetics = createAction('[SYNTHETICS_ENABLEMENT] DISABLE'); +export const disableSyntheticsSuccess = createAction<{}>('[SYNTHETICS_ENABLEMENT] DISABLE SUCCESS'); +export const disableSyntheticsFailure = createAction( + '[SYNTHETICS_ENABLEMENT] DISABLE FAILURE' +); + +export const enableSynthetics = createAction('[SYNTHETICS_ENABLEMENT] ENABLE'); +export const enableSyntheticsSuccess = createAction<{}>('[SYNTHETICS_ENABLEMENT] ENABLE SUCCESS'); +export const enableSyntheticsFailure = createAction( + '[SYNTHETICS_ENABLEMENT] ENABLE FAILURE' +); diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/state/synthetics_enablement/api.ts b/x-pack/plugins/synthetics/public/apps/synthetics/state/synthetics_enablement/api.ts new file mode 100644 index 0000000000000..4593f241b41f5 --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/state/synthetics_enablement/api.ts @@ -0,0 +1,30 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { API_URLS } from '../../../../../common/constants'; +import { + MonitorManagementEnablementResult, + MonitorManagementEnablementResultCodec, +} from '../../../../../common/runtime_types'; +import { apiService } from '../../../../utils/api_service'; + +export const fetchGetSyntheticsEnablement = + async (): Promise => { + return await apiService.get( + API_URLS.SYNTHETICS_ENABLEMENT, + undefined, + MonitorManagementEnablementResultCodec + ); + }; + +export const fetchDisableSynthetics = async (): Promise<{}> => { + return await apiService.delete(API_URLS.SYNTHETICS_ENABLEMENT); +}; + +export const fetchEnableSynthetics = async (): Promise<{}> => { + return await apiService.post(API_URLS.SYNTHETICS_ENABLEMENT); +}; diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/state/synthetics_enablement/effects.ts b/x-pack/plugins/synthetics/public/apps/synthetics/state/synthetics_enablement/effects.ts new file mode 100644 index 0000000000000..d3134c60f8fd3 --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/state/synthetics_enablement/effects.ts @@ -0,0 +1,40 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { takeLatest, takeLeading } from 'redux-saga/effects'; +import { + getSyntheticsEnablement, + getSyntheticsEnablementSuccess, + getSyntheticsEnablementFailure, + disableSynthetics, + disableSyntheticsSuccess, + disableSyntheticsFailure, + enableSynthetics, + enableSyntheticsSuccess, + enableSyntheticsFailure, +} from './actions'; +import { fetchGetSyntheticsEnablement, fetchDisableSynthetics, fetchEnableSynthetics } from './api'; +import { fetchEffectFactory } from '../utils/fetch_effect'; + +export function* fetchSyntheticsEnablementEffect() { + yield takeLeading( + getSyntheticsEnablement, + fetchEffectFactory( + fetchGetSyntheticsEnablement, + getSyntheticsEnablementSuccess, + getSyntheticsEnablementFailure + ) + ); + yield takeLatest( + disableSynthetics, + fetchEffectFactory(fetchDisableSynthetics, disableSyntheticsSuccess, disableSyntheticsFailure) + ); + yield takeLatest( + enableSynthetics, + fetchEffectFactory(fetchEnableSynthetics, enableSyntheticsSuccess, enableSyntheticsFailure) + ); +} diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/state/synthetics_enablement/index.ts b/x-pack/plugins/synthetics/public/apps/synthetics/state/synthetics_enablement/index.ts new file mode 100644 index 0000000000000..62ed85ad17e86 --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/state/synthetics_enablement/index.ts @@ -0,0 +1,88 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { createReducer } from '@reduxjs/toolkit'; +import { + getSyntheticsEnablement, + getSyntheticsEnablementSuccess, + disableSynthetics, + disableSyntheticsSuccess, + disableSyntheticsFailure, + enableSynthetics, + enableSyntheticsSuccess, + enableSyntheticsFailure, + getSyntheticsEnablementFailure, +} from './actions'; +import { MonitorManagementEnablementResult } from '../../../../../common/runtime_types'; + +export interface SyntheticsEnablementState { + loading: boolean; + error: Error | null; + enablement: MonitorManagementEnablementResult | null; +} + +export const initialState: SyntheticsEnablementState = { + loading: false, + error: null, + enablement: null, +}; + +export const syntheticsEnablementReducer = createReducer(initialState, (builder) => { + builder + .addCase(getSyntheticsEnablement, (state) => { + state.loading = true; + }) + .addCase(getSyntheticsEnablementSuccess, (state, action) => { + state.loading = false; + state.error = null; + state.enablement = action.payload; + }) + .addCase(getSyntheticsEnablementFailure, (state, action) => { + state.loading = false; + state.error = action.payload; + }) + + .addCase(disableSynthetics, (state) => { + state.loading = true; + }) + .addCase(disableSyntheticsSuccess, (state, action) => { + state.loading = false; + state.error = null; + state.enablement = { + canEnable: state.enablement?.canEnable ?? false, + areApiKeysEnabled: state.enablement?.areApiKeysEnabled ?? false, + canManageApiKeys: state.enablement?.canManageApiKeys ?? false, + isEnabled: false, + }; + }) + .addCase(disableSyntheticsFailure, (state, action) => { + state.loading = false; + state.error = action.payload; + }) + + .addCase(enableSynthetics, (state) => { + state.loading = true; + }) + .addCase(enableSyntheticsSuccess, (state, action) => { + state.loading = false; + state.error = null; + state.enablement = { + canEnable: state.enablement?.canEnable ?? false, + areApiKeysEnabled: state.enablement?.areApiKeysEnabled ?? false, + canManageApiKeys: state.enablement?.canManageApiKeys ?? false, + isEnabled: true, + }; + }) + .addCase(enableSyntheticsFailure, (state, action) => { + state.loading = false; + state.error = action.payload; + }); +}); + +export * from './actions'; +export * from './effects'; +export * from './selectors'; diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/state/synthetics_enablement/selectors.ts b/x-pack/plugins/synthetics/public/apps/synthetics/state/synthetics_enablement/selectors.ts new file mode 100644 index 0000000000000..fd69d44871637 --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/state/synthetics_enablement/selectors.ts @@ -0,0 +1,12 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { createSelector } from 'reselect'; +import type { SyntheticsAppState } from '../root_reducer'; + +const getState = (appState: SyntheticsAppState) => appState.syntheticsEnablement; +export const selectSyntheticsEnablement = createSelector(getState, (state) => state); diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/state/utils/http_error.ts b/x-pack/plugins/synthetics/public/apps/synthetics/state/utils/http_error.ts new file mode 100644 index 0000000000000..b34402556ed91 --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/state/utils/http_error.ts @@ -0,0 +1,31 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { IHttpFetchError } from '@kbn/core/public'; + +export interface IHttpSerializedFetchError { + name: string; + body: { + error?: string; + message?: string; + statusCode?: number; + }; + requestUrl: string; +} + +export const serializeHttpFetchError = (error: IHttpFetchError): IHttpSerializedFetchError => { + const body = error.body as { error: string; message: string; statusCode: number }; + return { + name: error.name, + body: { + error: body!.error, + message: body!.message, + statusCode: body!.statusCode, + }, + requestUrl: error.request.url, + }; +}; diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/synthetics_app.tsx b/x-pack/plugins/synthetics/public/apps/synthetics/synthetics_app.tsx index 808444c1f8ec8..1efc0fdc69a4f 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/synthetics_app.tsx +++ b/x-pack/plugins/synthetics/public/apps/synthetics/synthetics_app.tsx @@ -31,6 +31,7 @@ import { store, storage, setBasePath } from './state'; import { kibanaService } from '../../utils/kibana_service'; import { ActionMenu } from './components/common/header/action_menu'; +// added a comment to trigger test const Application = (props: SyntheticsAppProps) => { const { basePath, diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/utils/testing/__mocks__/syncthetics_store.mock.ts b/x-pack/plugins/synthetics/public/apps/synthetics/utils/testing/__mocks__/syncthetics_store.mock.ts index a045c7a7f7bed..7242160901964 100644 --- a/x-pack/plugins/synthetics/public/apps/synthetics/utils/testing/__mocks__/syncthetics_store.mock.ts +++ b/x-pack/plugins/synthetics/public/apps/synthetics/utils/testing/__mocks__/syncthetics_store.mock.ts @@ -6,7 +6,11 @@ */ import { SyntheticsAppState } from '../../../state/root_reducer'; -import { LocationStatus } from '../../../../../../common/runtime_types'; +import { + ConfigKey, + DEFAULT_THROTTLING, + LocationStatus, +} from '../../../../../../common/runtime_types'; /** * NOTE: This variable name MUST start with 'mock*' in order for @@ -27,6 +31,7 @@ export const mockState: SyntheticsAppState = { loading: false, }, serviceLocations: { + throttling: DEFAULT_THROTTLING, locations: [ { id: 'us_central', @@ -55,6 +60,12 @@ export const mockState: SyntheticsAppState = { error: null, }, monitorList: { + pageState: { + pageIndex: 0, + pageSize: 10, + sortOrder: 'asc', + sortField: `${ConfigKey.NAME}.keyword`, + }, data: { total: 0, monitors: [], @@ -65,6 +76,5 @@ export const mockState: SyntheticsAppState = { error: null, loading: false, }, + syntheticsEnablement: { loading: false, error: null, enablement: null }, }; - -// TODO: Complete mock state diff --git a/x-pack/plugins/synthetics/public/apps/synthetics/utils/testing/spy_use_fetcher.ts b/x-pack/plugins/synthetics/public/apps/synthetics/utils/testing/spy_use_fetcher.ts new file mode 100644 index 0000000000000..47d52a73e6850 --- /dev/null +++ b/x-pack/plugins/synthetics/public/apps/synthetics/utils/testing/spy_use_fetcher.ts @@ -0,0 +1,32 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import * as observabilityPublic from '@kbn/observability-plugin/public'; + +jest.mock('@kbn/observability-plugin/public', () => { + const originalModule = jest.requireActual('@kbn/observability-plugin/public'); + + return { + ...originalModule, + useFetcher: jest.fn().mockReturnValue({ + data: null, + status: 'success', + }), + useTrackPageview: jest.fn(), + }; +}); + +export function spyOnUseFetcher( + payload: unknown, + status = observabilityPublic.FETCH_STATUS.SUCCESS +) { + return jest.spyOn(observabilityPublic, 'useFetcher').mockReturnValue({ + status, + data: payload, + refetch: () => null, + }); +} diff --git a/x-pack/plugins/synthetics/public/hooks/use_capabilities.ts b/x-pack/plugins/synthetics/public/hooks/use_capabilities.ts new file mode 100644 index 0000000000000..5cde14df84f0e --- /dev/null +++ b/x-pack/plugins/synthetics/public/hooks/use_capabilities.ts @@ -0,0 +1,12 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { useKibana } from '@kbn/kibana-react-plugin/public'; + +export const useCanEditSynthetics = () => { + return !!useKibana().services?.application?.capabilities.uptime.save; +}; diff --git a/x-pack/plugins/synthetics/public/legacy_uptime/components/monitor_management/action_bar/action_bar.tsx b/x-pack/plugins/synthetics/public/legacy_uptime/components/monitor_management/action_bar/action_bar.tsx index 5672c96314dc9..af09f6965083b 100644 --- a/x-pack/plugins/synthetics/public/legacy_uptime/components/monitor_management/action_bar/action_bar.tsx +++ b/x-pack/plugins/synthetics/public/legacy_uptime/components/monitor_management/action_bar/action_bar.tsx @@ -21,17 +21,22 @@ import { useSelector } from 'react-redux'; import { FETCH_STATUS, useFetcher } from '@kbn/observability-plugin/public'; import { euiStyled } from '@kbn/kibana-react-plugin/common'; +import { showSyncErrors } from '../../../../apps/synthetics/components/monitors_page/management/show_sync_errors'; import { MONITOR_MANAGEMENT_ROUTE } from '../../../../../common/constants'; import { UptimeSettingsContext } from '../../../contexts'; import { setMonitor } from '../../../state/api'; -import { ConfigKey, SyntheticsMonitor, SourceType } from '../../../../../common/runtime_types'; +import { + ConfigKey, + SyntheticsMonitor, + SourceType, + ServiceLocationErrors, +} from '../../../../../common/runtime_types'; import { TestRun } from '../test_now_mode/test_now_mode'; import { monitorManagementListSelector } from '../../../state/selectors'; import { kibanaService } from '../../../state/kibana_service'; -import { showSyncErrors } from '../../../../apps/synthetics/components/monitor_management/show_sync_errors'; export interface ActionBarProps { monitor: SyntheticsMonitor; @@ -104,7 +109,11 @@ export const ActionBar = ({ }); setIsSuccessful(true); } else if (hasErrors && !loading) { - showSyncErrors(data.attributes.errors, locations, kibanaService.toasts); + showSyncErrors( + (data as { attributes: { errors: ServiceLocationErrors } })?.attributes.errors ?? [], + locations, + kibanaService.toasts + ); setIsSuccessful(true); } }, [data, status, isSaving, isValid, monitorId, hasErrors, locations, loading]); diff --git a/x-pack/plugins/synthetics/public/legacy_uptime/components/monitor_management/monitor_list/monitor_list_container.tsx b/x-pack/plugins/synthetics/public/legacy_uptime/components/monitor_management/monitor_list/monitor_list_container.tsx index 727f4f6dee72b..6db399175aaa6 100644 --- a/x-pack/plugins/synthetics/public/legacy_uptime/components/monitor_management/monitor_list/monitor_list_container.tsx +++ b/x-pack/plugins/synthetics/public/legacy_uptime/components/monitor_management/monitor_list/monitor_list_container.tsx @@ -39,8 +39,8 @@ export const MonitorListContainer = ({ dispatchPageAction({ type: 'refresh' }); }, [dispatchPageAction]); - useTrackPageview({ app: 'uptime', path: 'manage-monitors' }); - useTrackPageview({ app: 'uptime', path: 'manage-monitors', delay: 15000 }); + useTrackPageview({ app: 'uptime', path: 'monitors' }); + useTrackPageview({ app: 'uptime', path: 'monitors', delay: 15000 }); const monitorList = useSelector(monitorManagementListSelector); diff --git a/x-pack/plugins/synthetics/public/legacy_uptime/components/overview/alerts/monitor_status_alert/alert_monitor_status.test.tsx b/x-pack/plugins/synthetics/public/legacy_uptime/components/overview/alerts/monitor_status_alert/alert_monitor_status.test.tsx index 6dbef12159a18..3f675597301f3 100644 --- a/x-pack/plugins/synthetics/public/legacy_uptime/components/overview/alerts/monitor_status_alert/alert_monitor_status.test.tsx +++ b/x-pack/plugins/synthetics/public/legacy_uptime/components/overview/alerts/monitor_status_alert/alert_monitor_status.test.tsx @@ -14,7 +14,8 @@ import { } from './alert_monitor_status'; import { render } from '../../../../lib/helper/rtl_helpers'; -describe('alert monitor status component', () => { +// FLAKY: https://github.com/elastic/kibana/issues/133226 +describe.skip('alert monitor status component', () => { jest.setTimeout(10_000); describe('hasFilters', () => { diff --git a/x-pack/plugins/synthetics/public/plugin.ts b/x-pack/plugins/synthetics/public/plugin.ts index 127655f95e8a6..826beb2cbfe68 100644 --- a/x-pack/plugins/synthetics/public/plugin.ts +++ b/x-pack/plugins/synthetics/public/plugin.ts @@ -41,6 +41,7 @@ import { CasesUiStart } from '@kbn/cases-plugin/public'; import { CloudSetup } from '@kbn/cloud-plugin/public'; import { DataViewsPublicPluginStart } from '@kbn/data-views-plugin/public'; import { PLUGIN } from '../common/constants/plugin'; +import { MONITORS_ROUTE } from '../common/constants/ui'; import { LazySyntheticsPolicyCreateExtension, LazySyntheticsPolicyEditExtension, @@ -262,8 +263,8 @@ function registerSyntheticsRoutesWithNavigation( defaultMessage: 'Monitors', }), app: 'synthetics', - path: '/manage-monitors', - matchFullPath: false, + path: MONITORS_ROUTE, + matchFullPath: true, ignoreTrailingSlash: true, }, ], diff --git a/x-pack/plugins/synthetics/scripts/base_e2e.js b/x-pack/plugins/synthetics/scripts/base_e2e.js new file mode 100644 index 0000000000000..9def92fdbb0e3 --- /dev/null +++ b/x-pack/plugins/synthetics/scripts/base_e2e.js @@ -0,0 +1,89 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +/* eslint-disable no-console */ + +const yargs = require('yargs'); +const childProcess = require('child_process'); + +const { argv } = yargs(process.argv.slice(2)) + .option('server', { + default: false, + type: 'boolean', + description: 'Start Elasticsearch and kibana', + }) + .option('runner', { + default: false, + type: 'boolean', + description: + 'Run all tests (an instance of Elasticsearch and kibana are needs to be available)', + }) + .option('open', { + default: false, + type: 'boolean', + description: 'Opens the Synthetics Test Runner', + }) + .option('kibana-install-dir', { + default: '', + type: 'string', + description: 'Path to the Kibana install directory', + }) + .option('headless', { + default: true, + type: 'boolean', + description: 'Start in headless mode', + }) + .option('grep', { + default: undefined, + type: 'string', + description: 'run only journeys with a name or tags that matches the glob', + }) + .help(); + +const { server, runner, open, kibanaInstallDir, headless, grep } = argv; + +let ftrScript = 'functional_tests'; +if (server) { + ftrScript = 'functional_tests_server'; +} else if (runner || open) { + ftrScript = 'functional_test_runner'; +} + +const config = './synthetics_run.ts'; + +function executeSyntheticsRunner(dirPath) { + console.log(`Running ${ftrScript} in ${dirPath}`); + if (server) { + childProcess.execSync( + `node ../../../../scripts/${ftrScript} --config ${config} --kibana-install-dir '${kibanaInstallDir}'`, + { + cwd: dirPath, + stdio: 'inherit', + } + ); + } else if (runner) { + childProcess.execSync( + `node ../../../../scripts/${ftrScript} --config ${config} --kibana-install-dir '${kibanaInstallDir}' --headless ${headless} --grep '${grep}'`, + { + cwd: dirPath, + stdio: 'inherit', + } + ); + } else { + childProcess.execSync( + `node ../../../../scripts/${ftrScript} --config ${config} --kibana-install-dir '${kibanaInstallDir}' --grep '${grep}'`, + { + cwd: dirPath, + stdio: 'inherit', + } + ); + } +} + +module.exports = { + executeSyntheticsRunner, +}; diff --git a/x-pack/plugins/synthetics/scripts/e2e.js b/x-pack/plugins/synthetics/scripts/e2e.js index cfdd7b09f806e..69a1f3319491e 100644 --- a/x-pack/plugins/synthetics/scripts/e2e.js +++ b/x-pack/plugins/synthetics/scripts/e2e.js @@ -7,82 +7,9 @@ /* eslint-disable no-console */ +const { executeSyntheticsRunner } = require('./base_e2e'); const path = require('path'); -const yargs = require('yargs'); -const childProcess = require('child_process'); - -const { argv } = yargs(process.argv.slice(2)) - .option('server', { - default: false, - type: 'boolean', - description: 'Start Elasticsearch and kibana', - }) - .option('runner', { - default: false, - type: 'boolean', - description: - 'Run all tests (an instance of Elasticsearch and kibana are needs to be available)', - }) - .option('open', { - default: false, - type: 'boolean', - description: 'Opens the Playwright Test Runner', - }) - .option('kibana-install-dir', { - default: '', - type: 'string', - description: 'Path to the Kibana install directory', - }) - .option('headless', { - default: true, - type: 'boolean', - description: 'Start in headless mode', - }) - .option('grep', { - default: undefined, - type: 'string', - description: 'run only journeys with a name or tags that matches the glob', - }) - .help(); - -const { server, runner, open, kibanaInstallDir, headless, grep } = argv; const e2eDir = path.join(__dirname, '../e2e'); -let ftrScript = 'functional_tests'; -if (server) { - ftrScript = 'functional_tests_server'; -} else if (runner || open) { - ftrScript = 'functional_test_runner'; -} - -const config = './playwright_run.ts'; - -function executeRunner() { - if (server) { - childProcess.execSync( - `node ../../../../scripts/${ftrScript} --config ${config} --kibana-install-dir '${kibanaInstallDir}'`, - { - cwd: e2eDir, - stdio: 'inherit', - } - ); - } else if (runner) { - childProcess.execSync( - `node ../../../../scripts/${ftrScript} --config ${config} --kibana-install-dir '${kibanaInstallDir}' --headless ${headless} --grep '${grep}'`, - { - cwd: e2eDir, - stdio: 'inherit', - } - ); - } else { - childProcess.execSync( - `node ../../../../scripts/${ftrScript} --config ${config} --kibana-install-dir '${kibanaInstallDir}' --grep '${grep}'`, - { - cwd: e2eDir, - stdio: 'inherit', - } - ); - } -} -executeRunner(); +executeSyntheticsRunner(e2eDir); diff --git a/x-pack/plugins/synthetics/server/legacy_uptime/lib/saved_objects/synthetics_monitor.ts b/x-pack/plugins/synthetics/server/legacy_uptime/lib/saved_objects/synthetics_monitor.ts index e9a2bc1710860..21b753194148c 100644 --- a/x-pack/plugins/synthetics/server/legacy_uptime/lib/saved_objects/synthetics_monitor.ts +++ b/x-pack/plugins/synthetics/server/legacy_uptime/lib/saved_objects/synthetics_monitor.ts @@ -50,7 +50,7 @@ export const syntheticsMonitor: SavedObjectsType = { project_id: { type: 'keyword', }, - 'monitor.origin': { + origin: { type: 'keyword', }, custom_heartbeat_id: { diff --git a/x-pack/plugins/synthetics/server/synthetics_service/formatters/browser.ts b/x-pack/plugins/synthetics/server/synthetics_service/formatters/browser.ts index 4192cf41eed81..18812e4f17525 100644 --- a/x-pack/plugins/synthetics/server/synthetics_service/formatters/browser.ts +++ b/x-pack/plugins/synthetics/server/synthetics_service/formatters/browser.ts @@ -5,7 +5,13 @@ * 2.0. */ -import { Formatter, commonFormatters, objectFormatter, arrayFormatter } from './common'; +import { + Formatter, + commonFormatters, + objectFormatter, + stringToObjectFormatter, + arrayFormatter, +} from './common'; import { BrowserFields, ConfigKey } from '../../../common/runtime_types/monitor_management'; import { DEFAULT_BROWSER_ADVANCED_FIELDS } from '../../../common/constants/monitor_defaults'; @@ -43,7 +49,7 @@ export const browserFormatters: BrowserFormatMap = { [ConfigKey.SOURCE_ZIP_PROXY_URL]: null, [ConfigKey.SOURCE_PROJECT_CONTENT]: null, [ConfigKey.SOURCE_INLINE]: null, - [ConfigKey.PARAMS]: null, + [ConfigKey.PARAMS]: (fields) => stringToObjectFormatter(fields[ConfigKey.PARAMS] || ''), [ConfigKey.SCREENSHOTS]: null, [ConfigKey.SYNTHETICS_ARGS]: (fields) => arrayFormatter(fields[ConfigKey.SYNTHETICS_ARGS]), [ConfigKey.ZIP_URL_TLS_CERTIFICATE_AUTHORITIES]: null, @@ -62,7 +68,8 @@ export const browserFormatters: BrowserFormatMap = { [ConfigKey.IGNORE_HTTPS_ERRORS]: null, [ConfigKey.JOURNEY_ID]: null, [ConfigKey.PROJECT_ID]: null, - [ConfigKey.PLAYWRIGHT_OPTIONS]: null, + [ConfigKey.PLAYWRIGHT_OPTIONS]: (fields) => + stringToObjectFormatter(fields[ConfigKey.PLAYWRIGHT_OPTIONS] || ''), [ConfigKey.CUSTOM_HEARTBEAT_ID]: null, [ConfigKey.ORIGINAL_SPACE]: null, ...commonFormatters, diff --git a/x-pack/plugins/synthetics/server/synthetics_service/formatters/common.test.ts b/x-pack/plugins/synthetics/server/synthetics_service/formatters/common.test.ts new file mode 100644 index 0000000000000..70bbd0ca402a6 --- /dev/null +++ b/x-pack/plugins/synthetics/server/synthetics_service/formatters/common.test.ts @@ -0,0 +1,19 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { stringToObjectFormatter } from './common'; + +describe('common formatters', () => { + it.each([ + ['', undefined], + ['{', undefined], + ['{}', undefined], + ['{"some": "json"}', { some: 'json' }], + ])('formats strings to objects correctly, avoiding errors', (input, expected) => { + expect(stringToObjectFormatter(input)).toEqual(expected); + }); +}); diff --git a/x-pack/plugins/synthetics/server/synthetics_service/formatters/common.ts b/x-pack/plugins/synthetics/server/synthetics_service/formatters/common.ts index 63307f5cb80ab..6fda53bae8bf0 100644 --- a/x-pack/plugins/synthetics/server/synthetics_service/formatters/common.ts +++ b/x-pack/plugins/synthetics/server/synthetics_service/formatters/common.ts @@ -36,3 +36,12 @@ export const secondsToCronFormatter = (value: string = '') => (value ? `${value} export const objectFormatter = (value: Record = {}) => Object.keys(value).length ? value : null; + +export const stringToObjectFormatter = (value: string) => { + try { + const obj = JSON.parse(value || '{}'); + return Object.keys(obj).length ? obj : undefined; + } catch { + return undefined; + } +}; diff --git a/x-pack/plugins/synthetics/server/synthetics_service/formatters/format_configs.test.ts b/x-pack/plugins/synthetics/server/synthetics_service/formatters/format_configs.test.ts index 0aa351a95f376..cb0c0b9e10fda 100644 --- a/x-pack/plugins/synthetics/server/synthetics_service/formatters/format_configs.test.ts +++ b/x-pack/plugins/synthetics/server/synthetics_service/formatters/format_configs.test.ts @@ -4,7 +4,7 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ - +import { omit } from 'lodash'; import { FormattedValue } from './common'; import { formatMonitorConfig, formatHeartbeatRequest } from './format_configs'; import { @@ -64,7 +64,8 @@ const testBrowserConfig: Partial = { 'source.zip_url.proxy_url': '', 'source.inline.script': "step('Go to https://www.google.com/', async () => {\n await page.goto('https://www.google.com/');\n});", - params: '', + params: '{"a":"param"}', + playwright_options: '{"playwright":"option"}', screenshots: 'on', synthetics_args: ['--hasTouch true'], 'filter_journeys.match': '', @@ -125,6 +126,12 @@ describe('formatMonitorConfig', () => { timeout: '16s', type: 'browser', synthetics_args: ['--hasTouch true'], + params: { + a: 'param', + }, + playwright_options: { + playwright: 'option', + }, }; }); @@ -137,6 +144,16 @@ describe('formatMonitorConfig', () => { expect(yamlConfig).toEqual(formattedBrowserConfig); }); + it('does not set empty strings or empty objects for params and playwright options', () => { + const yamlConfig = formatMonitorConfig(Object.keys(testBrowserConfig) as ConfigKey[], { + ...testBrowserConfig, + playwright_options: '{}', + params: '', + }); + + expect(yamlConfig).toEqual(omit(formattedBrowserConfig, ['params', 'playwright_options'])); + }); + it('excludes UI fields', () => { testBrowserConfig['throttling.is_enabled'] = false; testBrowserConfig['throttling.upload_speed'] = '3'; diff --git a/x-pack/plugins/synthetics/server/synthetics_service/normalizers/browser.test.ts b/x-pack/plugins/synthetics/server/synthetics_service/normalizers/browser.test.ts index d5583384a6d5c..264b95cbb4959 100644 --- a/x-pack/plugins/synthetics/server/synthetics_service/normalizers/browser.test.ts +++ b/x-pack/plugins/synthetics/server/synthetics_service/normalizers/browser.test.ts @@ -109,7 +109,7 @@ describe('browser normalizers', () => { ...DEFAULT_FIELDS[DataStream.BROWSER], journey_id: 'test-id-1', ignore_https_errors: true, - 'monitor.origin': 'project', + origin: 'project', locations: [ { geo: { @@ -149,7 +149,7 @@ describe('browser normalizers', () => { ...DEFAULT_FIELDS[DataStream.BROWSER], journey_id: 'test-id-2', ignore_https_errors: false, - 'monitor.origin': 'project', + origin: 'project', locations: [ { geo: { @@ -201,7 +201,7 @@ describe('browser normalizers', () => { ...DEFAULT_FIELDS[DataStream.BROWSER], journey_id: 'test-id-3', ignore_https_errors: false, - 'monitor.origin': 'project', + origin: 'project', locations: [ { geo: { diff --git a/x-pack/plugins/synthetics/server/synthetics_service/project_monitor_formatter.ts b/x-pack/plugins/synthetics/server/synthetics_service/project_monitor_formatter.ts index 3060075701ec3..1165c0eb12c86 100644 --- a/x-pack/plugins/synthetics/server/synthetics_service/project_monitor_formatter.ts +++ b/x-pack/plugins/synthetics/server/synthetics_service/project_monitor_formatter.ts @@ -227,6 +227,7 @@ export class ProjectMonitorFormatter { } = normalizeSecrets(decryptedPreviousMonitor); const hasMonitorBeenEdited = !isEqual(normalizedMonitor, normalizedPreviousMonitorAttributes); const monitorWithRevision = formatSecrets({ + ...normalizedPreviousMonitorAttributes, // ensures monitor AAD remains consistent in the event of field name changes ...normalizedMonitor, revision: hasMonitorBeenEdited ? (previousMonitor.attributes[ConfigKey.REVISION] || 0) + 1 diff --git a/x-pack/plugins/translations/translations/fr-FR.json b/x-pack/plugins/translations/translations/fr-FR.json index 446cd4d8fc444..0dc44c83fa6b7 100644 --- a/x-pack/plugins/translations/translations/fr-FR.json +++ b/x-pack/plugins/translations/translations/fr-FR.json @@ -3437,6 +3437,7 @@ "expressionTagcloud.functions.tagcloudHelpText": "Visualisation du nuage de balises.", "expressionTagcloud.renderer.tagcloud.displayName": "Visualisation du nuage de balises", "expressionTagcloud.renderer.tagcloud.helpDescription": "Afficher le rendu d’un nuage de balises", + "expressionXY.partialData.bucketTooltipText": "La plage temporelle sélectionnée n'inclut pas ce compartiment en entier. Il se peut qu'elle contienne des données partielles.", "expressionXY.axisExtentConfig.extentMode.help": "Mode d'extension", "expressionXY.axisExtentConfig.help": "Configurer les étendues d’axe du graphique xy", "expressionXY.axisExtentConfig.lowerBound.help": "Limite inférieure", diff --git a/x-pack/plugins/translations/translations/ja-JP.json b/x-pack/plugins/translations/translations/ja-JP.json index 270950b771dfc..c4390871161d0 100644 --- a/x-pack/plugins/translations/translations/ja-JP.json +++ b/x-pack/plugins/translations/translations/ja-JP.json @@ -3531,6 +3531,7 @@ "expressionTagcloud.functions.tagcloudHelpText": "Tagcloudのビジュアライゼーションです。", "expressionTagcloud.renderer.tagcloud.displayName": "Tag Cloudのビジュアライゼーションです", "expressionTagcloud.renderer.tagcloud.helpDescription": "Tag Cloudを表示", + "expressionXY.partialData.bucketTooltipText": "選択された時間範囲にはこのバケット全体は含まれていません。一部データが含まれている可能性があります。", "expressionXY.axisExtentConfig.extentMode.help": "範囲モード", "expressionXY.axisExtentConfig.help": "xyグラフの軸範囲を構成", "expressionXY.axisExtentConfig.lowerBound.help": "下界", diff --git a/x-pack/plugins/translations/translations/zh-CN.json b/x-pack/plugins/translations/translations/zh-CN.json index 2cb5d6352e1c1..dd670a3fbecc7 100644 --- a/x-pack/plugins/translations/translations/zh-CN.json +++ b/x-pack/plugins/translations/translations/zh-CN.json @@ -3541,6 +3541,7 @@ "expressionTagcloud.functions.tagcloudHelpText": "标签云图可视化。", "expressionTagcloud.renderer.tagcloud.displayName": "标签云图可视化", "expressionTagcloud.renderer.tagcloud.helpDescription": "呈现标签云图", + "expressionXY.partialData.bucketTooltipText": "选定的时间范围不包括此整个存储桶。其可能包含部分数据。", "expressionXY.axisExtentConfig.extentMode.help": "范围模式", "expressionXY.axisExtentConfig.help": "配置 xy 图表的轴范围", "expressionXY.axisExtentConfig.lowerBound.help": "下边界", diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/rules_list.test.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/rules_list.test.tsx index 893d6cf7bc5ad..16e82d6801be1 100644 --- a/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/rules_list.test.tsx +++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/rules_list.test.tsx @@ -988,6 +988,19 @@ describe('rules_list component with items', () => { }) ); }); + + it('rule list items with actions are editable if canExecuteAction is true', async () => { + await setup(); + expect(wrapper.find('.euiButtonIcon-isDisabled').length).toEqual(2); + }); + + it('rule list items with actions are not editable if canExecuteAction is false', async () => { + const { hasExecuteActionsCapability } = jest.requireMock('../../../lib/capabilities'); + hasExecuteActionsCapability.mockReturnValue(false); + await setup(); + expect(wrapper.find('.euiButtonIcon-isDisabled').length).toEqual(5); + hasExecuteActionsCapability.mockReturnValue(true); + }); }); describe('rules_list component empty with show only capability', () => { diff --git a/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/rules_list.tsx b/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/rules_list.tsx index b8afb2d3124ef..99e41e552d031 100644 --- a/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/rules_list.tsx +++ b/x-pack/plugins/triggers_actions_ui/public/application/sections/rules_list/components/rules_list.tsx @@ -646,6 +646,7 @@ export const RulesList: React.FunctionComponent = () => { ['sort']; page: Pagination; percentileOptions: EuiSelectableOption[]; - canExecuteActions?: boolean; + canExecuteActions: boolean; itemIdToExpandedRowMap?: Record; config: TriggersActionsUiConfig; onSort?: (sort: EuiTableSortingType['sort']) => void; diff --git a/x-pack/plugins/ux/e2e/fixtures/rum_8.0.0/data.json.gz b/x-pack/plugins/ux/e2e/fixtures/rum_8.0.0/data.json.gz new file mode 100644 index 0000000000000..35b2243cf0604 Binary files /dev/null and b/x-pack/plugins/ux/e2e/fixtures/rum_8.0.0/data.json.gz differ diff --git a/x-pack/plugins/ux/e2e/fixtures/rum_8.0.0/mappings.json b/x-pack/plugins/ux/e2e/fixtures/rum_8.0.0/mappings.json new file mode 100644 index 0000000000000..01a84cda5c2ef --- /dev/null +++ b/x-pack/plugins/ux/e2e/fixtures/rum_8.0.0/mappings.json @@ -0,0 +1,7865 @@ +{ + "type": "index", + "value": { + "aliases": { + "apm-8.0.0-span": { + "is_write_index": true + } + }, + "index": "apm-8.0.0-span-000001", + "mappings": { + "_meta": { + "beat": "apm", + "version": "8.0.0" + }, + "date_detection": false, + "dynamic_templates": [ + { + "labels": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "labels.*" + } + }, + { + "container.labels": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "container.labels.*" + } + }, + { + "dns.answers": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "dns.answers.*" + } + }, + { + "log.syslog": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "log.syslog.*" + } + }, + { + "network.inner": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "network.inner.*" + } + }, + { + "observer.egress": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "observer.egress.*" + } + }, + { + "observer.ingress": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "observer.ingress.*" + } + }, + { + "fields": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "fields.*" + } + }, + { + "docker.container.labels": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "docker.container.labels.*" + } + }, + { + "kubernetes.labels.*": { + "mapping": { + "type": "keyword" + }, + "path_match": "kubernetes.labels.*" + } + }, + { + "kubernetes.annotations.*": { + "mapping": { + "type": "keyword" + }, + "path_match": "kubernetes.annotations.*" + } + }, + { + "labels_string": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "labels.*" + } + }, + { + "labels_boolean": { + "mapping": { + "type": "boolean" + }, + "match_mapping_type": "boolean", + "path_match": "labels.*" + } + }, + { + "labels_*": { + "mapping": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "path_match": "labels.*" + } + }, + { + "transaction.marks": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "transaction.marks.*" + } + }, + { + "transaction.marks.*.*": { + "mapping": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "path_match": "transaction.marks.*.*" + } + }, + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "dynamic": "false", + "properties": { + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "path": "agent.name", + "type": "alias" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "child": { + "dynamic": "false", + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "client": { + "dynamic": "false", + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "cloud": { + "properties": { + "account": { + "dynamic": "false", + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "dynamic": "false", + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "dynamic": "false", + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "dynamic": "false", + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "container": { + "dynamic": "false", + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "runtime": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "dynamic": "false", + "properties": { + "response_time": { + "properties": { + "count": { + "type": "long" + }, + "sum": { + "properties": { + "us": { + "type": "long" + } + } + } + } + } + } + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dll": { + "properties": { + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "docker": { + "properties": { + "container": { + "properties": { + "labels": { + "type": "object" + } + } + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "dynamic": "false", + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "culprit": { + "ignore_above": 1024, + "type": "keyword" + }, + "exception": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "handled": { + "type": "boolean" + }, + "message": { + "norms": false, + "type": "text" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "grouping_key": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "norms": false, + "type": "text" + }, + "param_message": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "message": { + "norms": false, + "type": "text" + }, + "stack_trace": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "experimental": { + "dynamic": "true", + "type": "object" + }, + "fields": { + "type": "object" + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "dynamic": "false", + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "containerized": { + "type": "boolean" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "http": { + "dynamic": "false", + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "headers": { + "enabled": false, + "type": "object" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "finished": { + "type": "boolean" + }, + "headers": { + "enabled": false, + "type": "object" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "kubernetes": { + "dynamic": "false", + "properties": { + "annotations": { + "properties": { + "*": { + "type": "object" + } + } + }, + "container": { + "properties": { + "image": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "deployment": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "properties": { + "*": { + "type": "object" + } + } + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pod": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "replicaset": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "statefulset": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "labels": { + "dynamic": "true", + "properties": { + "git_rev": { + "type": "keyword" + }, + "kibana_uuid": { + "type": "keyword" + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "syslog": { + "properties": { + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "priority": { + "type": "long" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "message": { + "norms": false, + "type": "text" + }, + "metricset": { + "properties": { + "period": { + "type": "long" + } + } + }, + "network": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "iana_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "inner": { + "properties": { + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "packets": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "observer": { + "dynamic": "false", + "properties": { + "egress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "listening": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_major": { + "type": "byte" + } + } + }, + "organization": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "package": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "build_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "install_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "parent": { + "dynamic": "false", + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "dynamic": "false", + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "processor": { + "properties": { + "event": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "profile": { + "dynamic": "false", + "properties": { + "alloc_objects": { + "properties": { + "count": { + "type": "long" + } + } + }, + "alloc_space": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "cpu": { + "properties": { + "ns": { + "type": "long" + } + } + }, + "duration": { + "type": "long" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "inuse_objects": { + "properties": { + "count": { + "type": "long" + } + } + }, + "inuse_space": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "samples": { + "properties": { + "count": { + "type": "long" + } + } + }, + "stack": { + "dynamic": "false", + "properties": { + "filename": { + "ignore_above": 1024, + "type": "keyword" + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "line": { + "type": "long" + } + } + }, + "top": { + "dynamic": "false", + "properties": { + "filename": { + "ignore_above": 1024, + "type": "keyword" + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "line": { + "type": "long" + } + } + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule": { + "properties": { + "author": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "service": { + "dynamic": "false", + "properties": { + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "framework": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "runtime": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "source": { + "dynamic": "false", + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sourcemap": { + "dynamic": "false", + "properties": { + "bundle_filepath": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "span": { + "dynamic": "false", + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "db": { + "dynamic": "false", + "properties": { + "link": { + "ignore_above": 1024, + "type": "keyword" + }, + "rows_affected": { + "type": "long" + } + } + }, + "destination": { + "dynamic": "false", + "properties": { + "service": { + "dynamic": "false", + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "duration": { + "properties": { + "us": { + "type": "long" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "dynamic": "false", + "properties": { + "age": { + "properties": { + "ms": { + "type": "long" + } + } + }, + "queue": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "self_time": { + "properties": { + "count": { + "type": "long" + }, + "sum": { + "properties": { + "us": { + "type": "long" + } + } + } + } + }, + "start": { + "properties": { + "us": { + "type": "long" + } + } + }, + "subtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "sync": { + "type": "boolean" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "system": { + "properties": { + "cpu": { + "properties": { + "total": { + "properties": { + "norm": { + "properties": { + "pct": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + } + } + } + } + }, + "memory": { + "properties": { + "actual": { + "properties": { + "free": { + "type": "long" + } + } + }, + "total": { + "type": "long" + } + } + }, + "process": { + "properties": { + "cgroup": { + "properties": { + "memory": { + "properties": { + "mem": { + "properties": { + "limit": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "usage": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "stats": { + "properties": { + "inactive_file": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + } + } + } + } + }, + "cpu": { + "properties": { + "total": { + "properties": { + "norm": { + "properties": { + "pct": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + } + } + } + } + }, + "memory": { + "properties": { + "rss": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "size": { + "type": "long" + } + } + } + } + } + } + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat": { + "properties": { + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "timeseries": { + "properties": { + "instance": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "timestamp": { + "properties": { + "us": { + "type": "long" + } + } + }, + "tls": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3s": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_protocol": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "trace": { + "dynamic": "false", + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tracing": { + "properties": { + "trace": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "transaction": { + "dynamic": "false", + "properties": { + "breakdown": { + "properties": { + "count": { + "type": "long" + } + } + }, + "duration": { + "properties": { + "count": { + "type": "long" + }, + "histogram": { + "type": "histogram" + }, + "sum": { + "properties": { + "us": { + "type": "long" + } + } + }, + "us": { + "type": "long" + } + } + }, + "experience": { + "properties": { + "cls": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "fid": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "tbt": { + "scaling_factor": 1000000, + "type": "scaled_float" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "marks": { + "dynamic": "true", + "properties": { + "*": { + "properties": { + "*": { + "dynamic": "true", + "type": "object" + } + } + } + } + }, + "message": { + "dynamic": "false", + "properties": { + "age": { + "properties": { + "ms": { + "type": "long" + } + } + }, + "queue": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "root": { + "type": "boolean" + }, + "sampled": { + "type": "boolean" + }, + "self_time": { + "properties": { + "count": { + "type": "long" + }, + "sum": { + "properties": { + "us": { + "type": "long" + } + } + } + } + }, + "span_count": { + "properties": { + "dropped": { + "type": "long" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "url": { + "dynamic": "false", + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "dynamic": "false", + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user_agent": { + "dynamic": "false", + "properties": { + "device": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "view spans": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "enumeration": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "report_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner": { + "properties": { + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "settings": { + "index": { + "codec": "best_compression", + "lifecycle": { + "name": "apm-rollover-30-days", + "rollover_alias": "apm-8.0.0-span" + }, + "mapping": { + "total_fields": { + "limit": "2000" + } + }, + "max_docvalue_fields_search": "200", + "number_of_replicas": "0", + "number_of_shards": "1", + "priority": "100", + "refresh_interval": "1ms" + } + } + } +} + +{ + "type": "index", + "value": { + "aliases": { + "apm-8.0.0-transaction": { + "is_write_index": true + } + }, + "index": "apm-8.0.0-transaction-000001", + "mappings": { + "_meta": { + "beat": "apm", + "version": "8.0.0" + }, + "date_detection": false, + "dynamic_templates": [ + { + "labels": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "labels.*" + } + }, + { + "container.labels": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "container.labels.*" + } + }, + { + "dns.answers": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "dns.answers.*" + } + }, + { + "log.syslog": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "log.syslog.*" + } + }, + { + "network.inner": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "network.inner.*" + } + }, + { + "observer.egress": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "observer.egress.*" + } + }, + { + "observer.ingress": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "observer.ingress.*" + } + }, + { + "fields": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "fields.*" + } + }, + { + "docker.container.labels": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "docker.container.labels.*" + } + }, + { + "kubernetes.labels.*": { + "mapping": { + "type": "keyword" + }, + "path_match": "kubernetes.labels.*" + } + }, + { + "kubernetes.annotations.*": { + "mapping": { + "type": "keyword" + }, + "path_match": "kubernetes.annotations.*" + } + }, + { + "labels_string": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "labels.*" + } + }, + { + "labels_boolean": { + "mapping": { + "type": "boolean" + }, + "match_mapping_type": "boolean", + "path_match": "labels.*" + } + }, + { + "labels_*": { + "mapping": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "path_match": "labels.*" + } + }, + { + "transaction.marks": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "transaction.marks.*" + } + }, + { + "transaction.marks.*.*": { + "mapping": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "path_match": "transaction.marks.*.*" + } + }, + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "dynamic": "false", + "properties": { + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "path": "agent.name", + "type": "alias" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "child": { + "dynamic": "false", + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "client": { + "dynamic": "false", + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "cloud": { + "properties": { + "account": { + "dynamic": "false", + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "dynamic": "false", + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "dynamic": "false", + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "dynamic": "false", + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "container": { + "dynamic": "false", + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "runtime": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "dynamic": "false", + "properties": { + "response_time": { + "properties": { + "count": { + "type": "long" + }, + "sum": { + "properties": { + "us": { + "type": "long" + } + } + } + } + } + } + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dll": { + "properties": { + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "docker": { + "properties": { + "container": { + "properties": { + "labels": { + "type": "object" + } + } + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "dynamic": "false", + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "culprit": { + "ignore_above": 1024, + "type": "keyword" + }, + "exception": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "handled": { + "type": "boolean" + }, + "message": { + "norms": false, + "type": "text" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "grouping_key": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "norms": false, + "type": "text" + }, + "param_message": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "message": { + "norms": false, + "type": "text" + }, + "stack_trace": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "experimental": { + "dynamic": "true", + "type": "object" + }, + "fields": { + "type": "object" + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "dynamic": "false", + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "containerized": { + "type": "boolean" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "http": { + "dynamic": "false", + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "headers": { + "enabled": false, + "type": "object" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "finished": { + "type": "boolean" + }, + "headers": { + "enabled": false, + "type": "object" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "kubernetes": { + "dynamic": "false", + "properties": { + "annotations": { + "properties": { + "*": { + "type": "object" + } + } + }, + "container": { + "properties": { + "image": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "deployment": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "properties": { + "*": { + "type": "object" + } + } + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pod": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "replicaset": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "statefulset": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "labels": { + "dynamic": "true", + "properties": { + "foo": { + "type": "keyword" + }, + "git_rev": { + "type": "keyword" + }, + "kibana_uuid": { + "type": "keyword" + }, + "lorem": { + "type": "keyword" + }, + "multi-line": { + "type": "keyword" + }, + "this-is-a-very-long-tag-name-without-any-spaces": { + "type": "keyword" + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "syslog": { + "properties": { + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "priority": { + "type": "long" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "message": { + "norms": false, + "type": "text" + }, + "metricset": { + "properties": { + "period": { + "type": "long" + } + } + }, + "network": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "iana_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "inner": { + "properties": { + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "packets": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "observer": { + "dynamic": "false", + "properties": { + "egress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "listening": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_major": { + "type": "byte" + } + } + }, + "organization": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "package": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "build_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "install_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "parent": { + "dynamic": "false", + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "dynamic": "false", + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "processor": { + "properties": { + "event": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "profile": { + "dynamic": "false", + "properties": { + "alloc_objects": { + "properties": { + "count": { + "type": "long" + } + } + }, + "alloc_space": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "cpu": { + "properties": { + "ns": { + "type": "long" + } + } + }, + "duration": { + "type": "long" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "inuse_objects": { + "properties": { + "count": { + "type": "long" + } + } + }, + "inuse_space": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "samples": { + "properties": { + "count": { + "type": "long" + } + } + }, + "stack": { + "dynamic": "false", + "properties": { + "filename": { + "ignore_above": 1024, + "type": "keyword" + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "line": { + "type": "long" + } + } + }, + "top": { + "dynamic": "false", + "properties": { + "filename": { + "ignore_above": 1024, + "type": "keyword" + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "line": { + "type": "long" + } + } + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule": { + "properties": { + "author": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "service": { + "dynamic": "false", + "properties": { + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "framework": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "runtime": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "source": { + "dynamic": "false", + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sourcemap": { + "dynamic": "false", + "properties": { + "bundle_filepath": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "span": { + "dynamic": "false", + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "db": { + "dynamic": "false", + "properties": { + "link": { + "ignore_above": 1024, + "type": "keyword" + }, + "rows_affected": { + "type": "long" + } + } + }, + "destination": { + "dynamic": "false", + "properties": { + "service": { + "dynamic": "false", + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "duration": { + "properties": { + "us": { + "type": "long" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "dynamic": "false", + "properties": { + "age": { + "properties": { + "ms": { + "type": "long" + } + } + }, + "queue": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "self_time": { + "properties": { + "count": { + "type": "long" + }, + "sum": { + "properties": { + "us": { + "type": "long" + } + } + } + } + }, + "start": { + "properties": { + "us": { + "type": "long" + } + } + }, + "subtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "sync": { + "type": "boolean" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "system": { + "properties": { + "cpu": { + "properties": { + "total": { + "properties": { + "norm": { + "properties": { + "pct": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + } + } + } + } + }, + "memory": { + "properties": { + "actual": { + "properties": { + "free": { + "type": "long" + } + } + }, + "total": { + "type": "long" + } + } + }, + "process": { + "properties": { + "cgroup": { + "properties": { + "memory": { + "properties": { + "mem": { + "properties": { + "limit": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "usage": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "stats": { + "properties": { + "inactive_file": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + } + } + } + } + }, + "cpu": { + "properties": { + "total": { + "properties": { + "norm": { + "properties": { + "pct": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + } + } + } + } + }, + "memory": { + "properties": { + "rss": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "size": { + "type": "long" + } + } + } + } + } + } + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat": { + "properties": { + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "timeseries": { + "properties": { + "instance": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "timestamp": { + "properties": { + "us": { + "type": "long" + } + } + }, + "tls": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3s": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_protocol": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "trace": { + "dynamic": "false", + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tracing": { + "properties": { + "trace": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "transaction": { + "dynamic": "false", + "properties": { + "breakdown": { + "properties": { + "count": { + "type": "long" + } + } + }, + "duration": { + "properties": { + "count": { + "type": "long" + }, + "histogram": { + "type": "histogram" + }, + "sum": { + "properties": { + "us": { + "type": "long" + } + } + }, + "us": { + "type": "long" + } + } + }, + "experience": { + "properties": { + "cls": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "fid": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "tbt": { + "scaling_factor": 1000000, + "type": "scaled_float" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "marks": { + "dynamic": "true", + "properties": { + "*": { + "properties": { + "*": { + "dynamic": "true", + "type": "object" + } + } + }, + "agent": { + "properties": { + "domComplete": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "domInteractive": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "firstContentfulPaint": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "largestContentfulPaint": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "timeToFirstByte": { + "scaling_factor": 1000000, + "type": "scaled_float" + } + } + }, + "navigationTiming": { + "properties": { + "connectEnd": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "connectStart": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "domComplete": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "domContentLoadedEventEnd": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "domContentLoadedEventStart": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "domInteractive": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "domLoading": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "domainLookupEnd": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "domainLookupStart": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "fetchStart": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "loadEventEnd": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "loadEventStart": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "requestStart": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "responseEnd": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "responseStart": { + "scaling_factor": 1000000, + "type": "scaled_float" + } + } + } + } + }, + "message": { + "dynamic": "false", + "properties": { + "age": { + "properties": { + "ms": { + "type": "long" + } + } + }, + "queue": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "root": { + "type": "boolean" + }, + "sampled": { + "type": "boolean" + }, + "self_time": { + "properties": { + "count": { + "type": "long" + }, + "sum": { + "properties": { + "us": { + "type": "long" + } + } + } + } + }, + "span_count": { + "properties": { + "dropped": { + "type": "long" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "url": { + "dynamic": "false", + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "dynamic": "false", + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user_agent": { + "dynamic": "false", + "properties": { + "device": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "view spans": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "enumeration": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "report_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner": { + "properties": { + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "settings": { + "index": { + "codec": "best_compression", + "lifecycle": { + "name": "apm-rollover-30-days", + "rollover_alias": "apm-8.0.0-transaction" + }, + "mapping": { + "total_fields": { + "limit": "2000" + } + }, + "max_docvalue_fields_search": "200", + "number_of_replicas": "0", + "number_of_shards": "1", + "priority": "100", + "refresh_interval": "1ms" + } + } + } +} diff --git a/x-pack/plugins/ux/e2e/fixtures/rum_test_data/data.json.gz b/x-pack/plugins/ux/e2e/fixtures/rum_test_data/data.json.gz new file mode 100644 index 0000000000000..92e8e04f63af6 Binary files /dev/null and b/x-pack/plugins/ux/e2e/fixtures/rum_test_data/data.json.gz differ diff --git a/x-pack/plugins/ux/e2e/fixtures/rum_test_data/mappings.json b/x-pack/plugins/ux/e2e/fixtures/rum_test_data/mappings.json new file mode 100644 index 0000000000000..3966692d5a4fc --- /dev/null +++ b/x-pack/plugins/ux/e2e/fixtures/rum_test_data/mappings.json @@ -0,0 +1,9145 @@ +{ + "type": "index", + "value": { + "index": "apm-8.0.0-error-2020.12.03-000005", + "mappings": { + "_meta": { + "beat": "apm", + "version": "8.0.0" + }, + "date_detection": false, + "dynamic_templates": [ + { + "labels": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "labels.*" + } + }, + { + "container.labels": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "container.labels.*" + } + }, + { + "fields": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "fields.*" + } + }, + { + "docker.container.labels": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "docker.container.labels.*" + } + }, + { + "kubernetes.labels.*": { + "mapping": { + "type": "keyword" + }, + "path_match": "kubernetes.labels.*" + } + }, + { + "kubernetes.annotations.*": { + "mapping": { + "type": "keyword" + }, + "path_match": "kubernetes.annotations.*" + } + }, + { + "labels_string": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "labels.*" + } + }, + { + "labels_boolean": { + "mapping": { + "type": "boolean" + }, + "match_mapping_type": "boolean", + "path_match": "labels.*" + } + }, + { + "labels_*": { + "mapping": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "path_match": "labels.*" + } + }, + { + "labels_string": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "labels.*" + } + }, + { + "labels_boolean": { + "mapping": { + "type": "boolean" + }, + "match_mapping_type": "boolean", + "path_match": "labels.*" + } + }, + { + "labels_*": { + "mapping": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "path_match": "labels.*" + } + }, + { + "labels_string": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "labels.*" + } + }, + { + "labels_boolean": { + "mapping": { + "type": "boolean" + }, + "match_mapping_type": "boolean", + "path_match": "labels.*" + } + }, + { + "labels_*": { + "mapping": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "path_match": "labels.*" + } + }, + { + "labels_string": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "labels.*" + } + }, + { + "labels_boolean": { + "mapping": { + "type": "boolean" + }, + "match_mapping_type": "boolean", + "path_match": "labels.*" + } + }, + { + "labels_*": { + "mapping": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "path_match": "labels.*" + } + }, + { + "labels_string": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "labels.*" + } + }, + { + "labels_boolean": { + "mapping": { + "type": "boolean" + }, + "match_mapping_type": "boolean", + "path_match": "labels.*" + } + }, + { + "labels_*": { + "mapping": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "path_match": "labels.*" + } + }, + { + "transaction.marks": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "transaction.marks.*" + } + }, + { + "transaction.marks.*.*": { + "mapping": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "path_match": "transaction.marks.*.*" + } + }, + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "dynamic": "false", + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "path": "agent.name", + "type": "alias" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "child": { + "dynamic": "false", + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "client": { + "dynamic": "false", + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "cloud": { + "properties": { + "account": { + "dynamic": "false", + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "dynamic": "false", + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "dynamic": "false", + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "dynamic": "false", + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "container": { + "dynamic": "false", + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "runtime": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dll": { + "properties": { + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "docker": { + "properties": { + "container": { + "properties": { + "labels": { + "type": "object" + } + } + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "dynamic": "false", + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "culprit": { + "ignore_above": 1024, + "type": "keyword" + }, + "exception": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "handled": { + "type": "boolean" + }, + "message": { + "norms": false, + "type": "text" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "grouping_key": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "norms": false, + "type": "text" + }, + "param_message": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "message": { + "norms": false, + "type": "text" + }, + "stack_trace": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "experimental": { + "dynamic": "true", + "type": "object" + }, + "fields": { + "type": "object" + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "dynamic": "false", + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "containerized": { + "type": "boolean" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "http": { + "dynamic": "false", + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "headers": { + "enabled": false, + "type": "object" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "finished": { + "type": "boolean" + }, + "headers": { + "enabled": false, + "type": "object" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "kubernetes": { + "dynamic": "false", + "properties": { + "annotations": { + "properties": { + "*": { + "type": "object" + } + } + }, + "container": { + "properties": { + "image": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "deployment": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "properties": { + "*": { + "type": "object" + } + } + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pod": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "replicaset": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "statefulset": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "labels": { + "dynamic": "true", + "properties": { + "city": { + "type": "keyword" + }, + "company": { + "type": "keyword" + }, + "country_code": { + "type": "keyword" + }, + "customer_tier": { + "type": "keyword" + }, + "foo": { + "type": "keyword" + }, + "git_rev": { + "type": "keyword" + }, + "in_eu": { + "type": "boolean" + }, + "ip": { + "type": "keyword" + }, + "lang": { + "type": "keyword" + }, + "lorem": { + "type": "keyword" + }, + "multi-line": { + "type": "keyword" + }, + "request_id": { + "type": "keyword" + }, + "this-is-a-very-long-tag-name-without-any-spaces": { + "type": "keyword" + }, + "u": { + "type": "keyword" + } + } + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "original": { + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "syslog": { + "properties": { + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "priority": { + "type": "long" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "message": { + "norms": false, + "type": "text" + }, + "metricset": { + "properties": { + "period": { + "type": "long" + } + } + }, + "network": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "iana_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "inner": { + "properties": { + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "packets": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "observer": { + "dynamic": "false", + "properties": { + "egress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "listening": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_major": { + "type": "byte" + } + } + }, + "organization": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "package": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "build_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "install_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "parent": { + "dynamic": "false", + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "dynamic": "false", + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "processor": { + "properties": { + "event": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "profile": { + "dynamic": "false", + "properties": { + "alloc_objects": { + "properties": { + "count": { + "type": "long" + } + } + }, + "alloc_space": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "cpu": { + "properties": { + "ns": { + "type": "long" + } + } + }, + "duration": { + "type": "long" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "inuse_objects": { + "properties": { + "count": { + "type": "long" + } + } + }, + "inuse_space": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "samples": { + "properties": { + "count": { + "type": "long" + } + } + }, + "stack": { + "dynamic": "false", + "properties": { + "filename": { + "ignore_above": 1024, + "type": "keyword" + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "line": { + "type": "long" + } + } + }, + "top": { + "dynamic": "false", + "properties": { + "filename": { + "ignore_above": 1024, + "type": "keyword" + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "line": { + "type": "long" + } + } + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule": { + "properties": { + "author": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "service": { + "dynamic": "false", + "properties": { + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "framework": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "runtime": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "source": { + "dynamic": "false", + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sourcemap": { + "dynamic": "false", + "properties": { + "bundle_filepath": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "span": { + "dynamic": "false", + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "db": { + "dynamic": "false", + "properties": { + "link": { + "ignore_above": 1024, + "type": "keyword" + }, + "rows_affected": { + "type": "long" + } + } + }, + "destination": { + "dynamic": "false", + "properties": { + "service": { + "dynamic": "false", + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource": { + "ignore_above": 1024, + "type": "keyword" + }, + "response_time": { + "properties": { + "count": { + "type": "long" + }, + "sum": { + "properties": { + "us": { + "type": "long" + } + } + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "duration": { + "properties": { + "us": { + "type": "long" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "dynamic": "false", + "properties": { + "age": { + "properties": { + "ms": { + "type": "long" + } + } + }, + "queue": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "self_time": { + "properties": { + "count": { + "type": "long" + }, + "sum": { + "properties": { + "us": { + "type": "long" + } + } + } + } + }, + "start": { + "properties": { + "us": { + "type": "long" + } + } + }, + "subtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "sync": { + "type": "boolean" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "system": { + "properties": { + "cpu": { + "properties": { + "total": { + "properties": { + "norm": { + "properties": { + "pct": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + } + } + } + } + }, + "memory": { + "properties": { + "actual": { + "properties": { + "free": { + "type": "long" + } + } + }, + "total": { + "type": "long" + } + } + }, + "process": { + "properties": { + "cgroup": { + "properties": { + "memory": { + "properties": { + "mem": { + "properties": { + "limit": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "usage": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + } + } + } + } + }, + "cpu": { + "properties": { + "total": { + "properties": { + "norm": { + "properties": { + "pct": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + } + } + } + } + }, + "memory": { + "properties": { + "rss": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "size": { + "type": "long" + } + } + } + } + } + } + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat": { + "properties": { + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "timeseries": { + "properties": { + "instance": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "timestamp": { + "properties": { + "us": { + "type": "long" + } + } + }, + "tls": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3s": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_protocol": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "trace": { + "dynamic": "false", + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tracing": { + "properties": { + "span": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "trace": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "transaction": { + "dynamic": "false", + "properties": { + "breakdown": { + "properties": { + "count": { + "type": "long" + } + } + }, + "duration": { + "properties": { + "count": { + "type": "long" + }, + "histogram": { + "type": "histogram" + }, + "sum": { + "properties": { + "us": { + "type": "long" + } + } + }, + "us": { + "type": "long" + } + } + }, + "experience": { + "properties": { + "cls": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "fid": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "longtask": { + "properties": { + "count": { + "type": "long" + }, + "max": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "sum": { + "scaling_factor": 1000000, + "type": "scaled_float" + } + } + }, + "tbt": { + "scaling_factor": 1000000, + "type": "scaled_float" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "marks": { + "dynamic": "true", + "properties": { + "*": { + "properties": { + "*": { + "dynamic": "true", + "type": "object" + } + } + } + } + }, + "message": { + "dynamic": "false", + "properties": { + "age": { + "properties": { + "ms": { + "type": "long" + } + } + }, + "queue": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "root": { + "type": "boolean" + }, + "sampled": { + "type": "boolean" + }, + "self_time": { + "properties": { + "count": { + "type": "long" + }, + "sum": { + "properties": { + "us": { + "type": "long" + } + } + } + } + }, + "span_count": { + "properties": { + "dropped": { + "type": "long" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "url": { + "dynamic": "false", + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "dynamic": "false", + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user_agent": { + "dynamic": "false", + "properties": { + "device": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "view spans": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "enumeration": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "report_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner": { + "properties": { + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "settings": { + "index": { + "codec": "best_compression", + "lifecycle": { + "name": "apm-rollover-30-days", + "rollover_alias": "apm-8.0.0-error" + }, + "mapping": { + "total_fields": { + "limit": "2000" + } + }, + "max_docvalue_fields_search": "200", + "number_of_replicas": "1", + "number_of_shards": "1", + "priority": "100", + "refresh_interval": "5s" + } + } + } +} + +{ + "type": "index", + "value": { + "index": "apm-8.0.0-transaction-2020.12.03-000005", + "mappings": { + "_meta": { + "beat": "apm", + "version": "8.0.0" + }, + "date_detection": false, + "dynamic_templates": [ + { + "labels": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "labels.*" + } + }, + { + "container.labels": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "container.labels.*" + } + }, + { + "fields": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "fields.*" + } + }, + { + "docker.container.labels": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "docker.container.labels.*" + } + }, + { + "kubernetes.labels.*": { + "mapping": { + "type": "keyword" + }, + "path_match": "kubernetes.labels.*" + } + }, + { + "kubernetes.annotations.*": { + "mapping": { + "type": "keyword" + }, + "path_match": "kubernetes.annotations.*" + } + }, + { + "labels_string": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "labels.*" + } + }, + { + "labels_boolean": { + "mapping": { + "type": "boolean" + }, + "match_mapping_type": "boolean", + "path_match": "labels.*" + } + }, + { + "labels_*": { + "mapping": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "path_match": "labels.*" + } + }, + { + "labels_string": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "labels.*" + } + }, + { + "labels_boolean": { + "mapping": { + "type": "boolean" + }, + "match_mapping_type": "boolean", + "path_match": "labels.*" + } + }, + { + "labels_*": { + "mapping": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "path_match": "labels.*" + } + }, + { + "labels_string": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "labels.*" + } + }, + { + "labels_boolean": { + "mapping": { + "type": "boolean" + }, + "match_mapping_type": "boolean", + "path_match": "labels.*" + } + }, + { + "labels_*": { + "mapping": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "path_match": "labels.*" + } + }, + { + "labels_string": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "labels.*" + } + }, + { + "labels_boolean": { + "mapping": { + "type": "boolean" + }, + "match_mapping_type": "boolean", + "path_match": "labels.*" + } + }, + { + "labels_*": { + "mapping": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "path_match": "labels.*" + } + }, + { + "labels_string": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "labels.*" + } + }, + { + "labels_boolean": { + "mapping": { + "type": "boolean" + }, + "match_mapping_type": "boolean", + "path_match": "labels.*" + } + }, + { + "labels_*": { + "mapping": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "path_match": "labels.*" + } + }, + { + "transaction.marks": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "transaction.marks.*" + } + }, + { + "transaction.marks.*.*": { + "mapping": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "path_match": "transaction.marks.*.*" + } + }, + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "dynamic": "false", + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "path": "agent.name", + "type": "alias" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "child": { + "dynamic": "false", + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "client": { + "dynamic": "false", + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "cloud": { + "properties": { + "account": { + "dynamic": "false", + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "dynamic": "false", + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "dynamic": "false", + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "dynamic": "false", + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "container": { + "dynamic": "false", + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "runtime": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dll": { + "properties": { + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "docker": { + "properties": { + "container": { + "properties": { + "labels": { + "type": "object" + } + } + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "dynamic": "false", + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "culprit": { + "ignore_above": 1024, + "type": "keyword" + }, + "exception": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "handled": { + "type": "boolean" + }, + "message": { + "norms": false, + "type": "text" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "grouping_key": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "norms": false, + "type": "text" + }, + "param_message": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "message": { + "norms": false, + "type": "text" + }, + "stack_trace": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "experimental": { + "dynamic": "true", + "type": "object" + }, + "fields": { + "type": "object" + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "dynamic": "false", + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "containerized": { + "type": "boolean" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "http": { + "dynamic": "false", + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "headers": { + "enabled": false, + "type": "object" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "finished": { + "type": "boolean" + }, + "headers": { + "enabled": false, + "type": "object" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "kubernetes": { + "dynamic": "false", + "properties": { + "annotations": { + "properties": { + "*": { + "type": "object" + } + } + }, + "container": { + "properties": { + "image": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "deployment": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "properties": { + "*": { + "type": "object" + } + } + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pod": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "replicaset": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "statefulset": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "labels": { + "dynamic": "true", + "properties": { + "city": { + "type": "keyword" + }, + "company": { + "type": "keyword" + }, + "country_code": { + "type": "keyword" + }, + "customer_email": { + "type": "keyword" + }, + "customer_name": { + "type": "keyword" + }, + "customer_tier": { + "type": "keyword" + }, + "foo": { + "type": "keyword" + }, + "git_rev": { + "type": "keyword" + }, + "in_eu": { + "type": "boolean" + }, + "ip": { + "type": "keyword" + }, + "lang": { + "type": "keyword" + }, + "lorem": { + "type": "keyword" + }, + "multi-line": { + "type": "keyword" + }, + "request_id": { + "type": "keyword" + }, + "served_from_cache": { + "type": "keyword" + }, + "this-is-a-very-long-tag-name-without-any-spaces": { + "type": "keyword" + }, + "u": { + "type": "keyword" + }, + "worker": { + "type": "keyword" + } + } + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "original": { + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "syslog": { + "properties": { + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "priority": { + "type": "long" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "message": { + "norms": false, + "type": "text" + }, + "metricset": { + "properties": { + "period": { + "type": "long" + } + } + }, + "network": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "iana_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "inner": { + "properties": { + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "packets": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "observer": { + "dynamic": "false", + "properties": { + "egress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "listening": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_major": { + "type": "byte" + } + } + }, + "organization": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "package": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "build_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "install_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "parent": { + "dynamic": "false", + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "dynamic": "false", + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "processor": { + "properties": { + "event": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "profile": { + "dynamic": "false", + "properties": { + "alloc_objects": { + "properties": { + "count": { + "type": "long" + } + } + }, + "alloc_space": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "cpu": { + "properties": { + "ns": { + "type": "long" + } + } + }, + "duration": { + "type": "long" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "inuse_objects": { + "properties": { + "count": { + "type": "long" + } + } + }, + "inuse_space": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "samples": { + "properties": { + "count": { + "type": "long" + } + } + }, + "stack": { + "dynamic": "false", + "properties": { + "filename": { + "ignore_above": 1024, + "type": "keyword" + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "line": { + "type": "long" + } + } + }, + "top": { + "dynamic": "false", + "properties": { + "filename": { + "ignore_above": 1024, + "type": "keyword" + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "line": { + "type": "long" + } + } + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule": { + "properties": { + "author": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "service": { + "dynamic": "false", + "properties": { + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "framework": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "runtime": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "source": { + "dynamic": "false", + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sourcemap": { + "dynamic": "false", + "properties": { + "bundle_filepath": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "span": { + "dynamic": "false", + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "db": { + "dynamic": "false", + "properties": { + "link": { + "ignore_above": 1024, + "type": "keyword" + }, + "rows_affected": { + "type": "long" + } + } + }, + "destination": { + "dynamic": "false", + "properties": { + "service": { + "dynamic": "false", + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource": { + "ignore_above": 1024, + "type": "keyword" + }, + "response_time": { + "properties": { + "count": { + "type": "long" + }, + "sum": { + "properties": { + "us": { + "type": "long" + } + } + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "duration": { + "properties": { + "us": { + "type": "long" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "dynamic": "false", + "properties": { + "age": { + "properties": { + "ms": { + "type": "long" + } + } + }, + "queue": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "self_time": { + "properties": { + "count": { + "type": "long" + }, + "sum": { + "properties": { + "us": { + "type": "long" + } + } + } + } + }, + "start": { + "properties": { + "us": { + "type": "long" + } + } + }, + "subtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "sync": { + "type": "boolean" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "system": { + "properties": { + "cpu": { + "properties": { + "total": { + "properties": { + "norm": { + "properties": { + "pct": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + } + } + } + } + }, + "memory": { + "properties": { + "actual": { + "properties": { + "free": { + "type": "long" + } + } + }, + "total": { + "type": "long" + } + } + }, + "process": { + "properties": { + "cgroup": { + "properties": { + "memory": { + "properties": { + "mem": { + "properties": { + "limit": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "usage": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + } + } + } + } + }, + "cpu": { + "properties": { + "total": { + "properties": { + "norm": { + "properties": { + "pct": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + } + } + } + } + }, + "memory": { + "properties": { + "rss": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "size": { + "type": "long" + } + } + } + } + } + } + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat": { + "properties": { + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "timeseries": { + "properties": { + "instance": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "timestamp": { + "properties": { + "us": { + "type": "long" + } + } + }, + "tls": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3s": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_protocol": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "trace": { + "dynamic": "false", + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tracing": { + "properties": { + "span": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "trace": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "transaction": { + "dynamic": "false", + "properties": { + "breakdown": { + "properties": { + "count": { + "type": "long" + } + } + }, + "duration": { + "properties": { + "count": { + "type": "long" + }, + "histogram": { + "type": "histogram" + }, + "sum": { + "properties": { + "us": { + "type": "long" + } + } + }, + "us": { + "type": "long" + } + } + }, + "experience": { + "properties": { + "cls": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "fid": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "longtask": { + "properties": { + "count": { + "type": "long" + }, + "max": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "sum": { + "scaling_factor": 1000000, + "type": "scaled_float" + } + } + }, + "tbt": { + "scaling_factor": 1000000, + "type": "scaled_float" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "marks": { + "dynamic": "true", + "properties": { + "*": { + "properties": { + "*": { + "dynamic": "true", + "type": "object" + } + } + }, + "agent": { + "properties": { + "domComplete": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "domInteractive": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "firstContentfulPaint": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "largestContentfulPaint": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "timeToFirstByte": { + "scaling_factor": 1000000, + "type": "scaled_float" + } + } + }, + "navigationTiming": { + "properties": { + "connectEnd": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "connectStart": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "domComplete": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "domContentLoadedEventEnd": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "domContentLoadedEventStart": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "domInteractive": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "domLoading": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "domainLookupEnd": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "domainLookupStart": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "fetchStart": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "loadEventEnd": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "loadEventStart": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "requestStart": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "responseEnd": { + "scaling_factor": 1000000, + "type": "scaled_float" + }, + "responseStart": { + "scaling_factor": 1000000, + "type": "scaled_float" + } + } + } + } + }, + "message": { + "dynamic": "false", + "properties": { + "age": { + "properties": { + "ms": { + "type": "long" + } + } + }, + "queue": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "root": { + "type": "boolean" + }, + "sampled": { + "type": "boolean" + }, + "self_time": { + "properties": { + "count": { + "type": "long" + }, + "sum": { + "properties": { + "us": { + "type": "long" + } + } + } + } + }, + "span_count": { + "properties": { + "dropped": { + "type": "long" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "url": { + "dynamic": "false", + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "dynamic": "false", + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user_agent": { + "dynamic": "false", + "properties": { + "device": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "view spans": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "enumeration": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "report_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner": { + "properties": { + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "settings": { + "index": { + "codec": "best_compression", + "lifecycle": { + "name": "apm-rollover-30-days", + "rollover_alias": "apm-8.0.0-transaction" + }, + "mapping": { + "total_fields": { + "limit": "2000" + } + }, + "max_docvalue_fields_search": "200", + "number_of_replicas": "1", + "number_of_shards": "1", + "priority": "100", + "refresh_interval": "5s" + } + } + } +} diff --git a/x-pack/plugins/cloud_security_posture/server/constants.ts b/x-pack/plugins/ux/e2e/journeys/index.ts similarity index 77% rename from x-pack/plugins/cloud_security_posture/server/constants.ts rename to x-pack/plugins/ux/e2e/journeys/index.ts index 321a662e53914..a9b3851a8d589 100644 --- a/x-pack/plugins/cloud_security_posture/server/constants.ts +++ b/x-pack/plugins/ux/e2e/journeys/index.ts @@ -5,5 +5,4 @@ * 2.0. */ -export const RULE_PASSED = `passed`; -export const RULE_FAILED = `failed`; +export * from './url_ux_query.journey'; diff --git a/x-pack/plugins/ux/e2e/journeys/url_ux_query.journey.ts b/x-pack/plugins/ux/e2e/journeys/url_ux_query.journey.ts new file mode 100644 index 0000000000000..f5e8fd19a9557 --- /dev/null +++ b/x-pack/plugins/ux/e2e/journeys/url_ux_query.journey.ts @@ -0,0 +1,49 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { journey, step, expect, before } from '@elastic/synthetics'; +import { UXDashboardDatePicker } from '../page_objects/date_picker'; +import { byTestId, loginToKibana, waitForLoadingToFinish } from './utils'; + +journey('UX URL Query', async ({ page, params }) => { + before(async () => { + await waitForLoadingToFinish({ page }); + }); + + const queryParams = { + percentile: '50', + rangeFrom: '2020-05-18T11:51:00.000Z', + rangeTo: '2021-10-30T06:37:15.536Z', + }; + const queryString = new URLSearchParams(queryParams).toString(); + + const baseUrl = `${params.kibanaUrl}/app/ux`; + + step('Go to UX Dashboard', async () => { + await page.goto(`${baseUrl}?${queryString}`, { + waitUntil: 'networkidle', + }); + await loginToKibana({ + page, + user: { username: 'viewer_user', password: 'changeme' }, + }); + }); + + step('Set date range', async () => { + const datePickerPage = new UXDashboardDatePicker(page); + await datePickerPage.setDefaultE2eRange(); + }); + + step('Confirm query params', async () => { + const value = await page.$eval( + byTestId('uxPercentileSelect'), + (sel: HTMLInputElement) => sel.value + ); + + expect(value).toBe(queryParams.percentile); + }); +}); diff --git a/x-pack/plugins/ux/e2e/journeys/utils.ts b/x-pack/plugins/ux/e2e/journeys/utils.ts new file mode 100644 index 0000000000000..8020d83975e0f --- /dev/null +++ b/x-pack/plugins/ux/e2e/journeys/utils.ts @@ -0,0 +1,77 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { expect, Page } from '@elastic/synthetics'; + +export async function waitForLoadingToFinish({ page }: { page: Page }) { + while (true) { + if ((await page.$(byTestId('kbnLoadingMessage'))) === null) break; + await page.waitForTimeout(5 * 1000); + } +} + +export async function loginToKibana({ + page, + user, +}: { + page: Page; + user?: { username: string; password: string }; +}) { + await page.fill( + '[data-test-subj=loginUsername]', + user?.username ?? 'elastic', + { + timeout: 60 * 1000, + } + ); + + await page.fill( + '[data-test-subj=loginPassword]', + user?.password ?? 'changeme' + ); + + await page.click('[data-test-subj=loginSubmit]'); + + await waitForLoadingToFinish({ page }); +} + +export const byTestId = (testId: string) => { + return `[data-test-subj=${testId}]`; +}; + +export const assertText = async ({ + page, + text, +}: { + page: Page; + text: string; +}) => { + await page.waitForSelector(`text=${text}`); + expect(await page.$(`text=${text}`)).toBeTruthy(); +}; + +export const assertNotText = async ({ + page, + text, +}: { + page: Page; + text: string; +}) => { + expect(await page.$(`text=${text}`)).toBeFalsy(); +}; + +export const getQuerystring = (params: object) => { + return Object.entries(params) + .map( + ([key, value]) => + encodeURIComponent(key) + '=' + encodeURIComponent(value) + ) + .join('&'); +}; + +export const delay = (ms: number) => + new Promise((resolve) => setTimeout(resolve, ms)); diff --git a/x-pack/plugins/ux/e2e/page_objects/dashboard.ts b/x-pack/plugins/ux/e2e/page_objects/dashboard.ts new file mode 100644 index 0000000000000..8c44ae67d4db9 --- /dev/null +++ b/x-pack/plugins/ux/e2e/page_objects/dashboard.ts @@ -0,0 +1,23 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { Page } from '@elastic/synthetics'; +import { Locator, byTestId } from './utils'; + +export class UXDashboardFilters { + readonly page: Page; + readonly percentileSelect: Locator; + + constructor(page: Page) { + this.page = page; + this.percentileSelect = page.locator(byTestId('uxPercentileSelect')); + } + + getPercentileOption(percentile: '50' | '55' | '90' | '95' | '99') { + return this.page.locator(byTestId(`p${percentile}Percentile`)); + } +} diff --git a/x-pack/plugins/ux/e2e/page_objects/date_picker.ts b/x-pack/plugins/ux/e2e/page_objects/date_picker.ts new file mode 100644 index 0000000000000..31eb226e76a07 --- /dev/null +++ b/x-pack/plugins/ux/e2e/page_objects/date_picker.ts @@ -0,0 +1,68 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import moment from 'moment'; +import { Page } from '@elastic/synthetics'; +import { Locator, byTestId } from './utils'; + +const DEFAULT_ABS_START_UTC_DATE = '2022-05-22T19:00:00.000Z'; +const DEFAULT_ABS_END_UTC_DATE = '2022-05-22T20:00:00.000Z'; +const MOMENT_DATE_INPUT_FORMAT = 'MMM DD, YYYY @ HH:mm:ss:SSS'; + +export class UXDashboardDatePicker { + readonly page: Page; + readonly dateStarButton: Locator; + readonly dateEndButton: Locator; + readonly datePopupAbsoluteTab: Locator; + readonly dateAbsoluteInput: Locator; + readonly dateApplyButton: Locator; + + constructor(page: Page) { + this.page = page; + this.dateStarButton = page.locator('.euiDatePopoverButton--start'); + this.dateEndButton = page.locator('.euiDatePopoverButton--end'); + this.datePopupAbsoluteTab = page.locator('text=Absolute'); + this.dateAbsoluteInput = page.locator( + byTestId('superDatePickerAbsoluteDateInput') + ); + this.dateApplyButton = page.locator( + byTestId('superDatePickerApplyTimeButton') + ); + } + + async setAbsoluteStartDate(dateStr: string) { + await this.dateStarButton.first().click({ timeout: 3 * 60 * 1000 }); + await this.datePopupAbsoluteTab.first().click(); + await this.dateAbsoluteInput.first().click({ clickCount: 3 }); // clear input + await this.dateAbsoluteInput.first().type(dateStr); + } + + async setAbsoluteEndDate(dateStr: string) { + await this.dateEndButton.first().click(); + await this.datePopupAbsoluteTab.first().click(); + await this.dateAbsoluteInput.first().click({ clickCount: 3 }); // clear input + await this.dateAbsoluteInput.first().type(dateStr); + } + + async applyDate() { + await this.dateApplyButton.click(); + } + + async setDefaultE2eRange() { + const startDateStr = moment(DEFAULT_ABS_START_UTC_DATE).format( + MOMENT_DATE_INPUT_FORMAT + ); + await this.setAbsoluteStartDate(startDateStr); + + const endDateStr = moment(DEFAULT_ABS_END_UTC_DATE).format( + MOMENT_DATE_INPUT_FORMAT + ); + await this.setAbsoluteEndDate(endDateStr); + + await this.applyDate(); + } +} diff --git a/x-pack/plugins/ux/e2e/page_objects/login.tsx b/x-pack/plugins/ux/e2e/page_objects/login.tsx new file mode 100644 index 0000000000000..cdc7979f7cf43 --- /dev/null +++ b/x-pack/plugins/ux/e2e/page_objects/login.tsx @@ -0,0 +1,42 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { Page } from '@elastic/synthetics'; + +export function loginPageProvider({ + page, + isRemote = false, + username = 'elastic', + password = 'changeme', +}: { + page: Page; + isRemote?: boolean; + username?: string; + password?: string; +}) { + return { + async waitForLoadingToFinish() { + while (true) { + if ((await page.$('[data-test-subj=kbnLoadingMessage]')) === null) + break; + await page.waitForTimeout(5 * 1000); + } + }, + async loginToKibana(usernameT?: string, passwordT?: string) { + if (isRemote) { + await page.click('text="Log in with Elasticsearch"'); + } + await page.fill('[data-test-subj=loginUsername]', usernameT ?? username, { + timeout: 60 * 1000, + }); + await page.fill('[data-test-subj=loginPassword]', passwordT ?? password); + + await page.click('[data-test-subj=loginSubmit]'); + + await this.waitForLoadingToFinish(); + }, + }; +} diff --git a/x-pack/plugins/ux/e2e/page_objects/utils.tsx b/x-pack/plugins/ux/e2e/page_objects/utils.tsx new file mode 100644 index 0000000000000..280e1f03b99d1 --- /dev/null +++ b/x-pack/plugins/ux/e2e/page_objects/utils.tsx @@ -0,0 +1,63 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { expect, Page } from '@elastic/synthetics'; + +export type Locator = ReturnType; + +export function byTestId(testId: string) { + return `[data-test-subj=${testId}]`; +} + +export function utilsPageProvider({ page }: { page: Page }) { + return { + byTestId(testId: string) { + return byTestId(testId); + }, + + async waitForLoadingToFinish() { + while (true) { + if ((await page.$(this.byTestId('kbnLoadingMessage'))) === null) break; + await page.waitForTimeout(5 * 1000); + } + }, + + async dismissSyntheticsCallout() { + await page.click('[data-test-subj=uptimeDismissSyntheticsCallout]', { + timeout: 60 * 1000, + }); + }, + + async assertText({ text }: { text: string }) { + await page.waitForSelector(`text=${text}`); + expect(await page.$(`text=${text}`)).toBeTruthy(); + }, + + async fillByTestSubj(dataTestSubj: string, value: string) { + await page.fill(`[data-test-subj=${dataTestSubj}]`, value); + }, + + async selectByTestSubj(dataTestSubj: string, value: string) { + await page.selectOption(`[data-test-subj=${dataTestSubj}]`, value); + }, + + async checkByTestSubj(dataTestSubj: string, value: string) { + await page.check(`[data-test-subj=${dataTestSubj}]`); + }, + + async clickByTestSubj(dataTestSubj: string) { + await page.click(`[data-test-subj=${dataTestSubj}]`); + }, + + async findByTestSubj(dataTestSubj: string) { + return await page.waitForSelector(`[data-test-subj=${dataTestSubj}]`); + }, + + async findByText(text: string) { + return await page.waitForSelector(`text=${text}`); + }, + }; +} diff --git a/x-pack/plugins/ux/e2e/synthetics_run.ts b/x-pack/plugins/ux/e2e/synthetics_run.ts new file mode 100644 index 0000000000000..08db83f4fe659 --- /dev/null +++ b/x-pack/plugins/ux/e2e/synthetics_run.ts @@ -0,0 +1,45 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { FtrConfigProviderContext } from '@kbn/test'; +import { argv } from '@kbn/synthetics-plugin/e2e/parse_args_params'; +import { SyntheticsRunner } from '@kbn/synthetics-plugin/e2e/synthetics_start'; +import path from 'path'; + +const { headless, grep, pauseOnError } = argv; + +async function runE2ETests({ readConfigFile }: FtrConfigProviderContext) { + const kibanaConfig = await readConfigFile( + require.resolve('@kbn/synthetics-plugin/e2e/config') + ); + + return { + ...kibanaConfig.getAll(), + testRunner: async ({ getService }: any) => { + const syntheticsRunner = new SyntheticsRunner(getService, { + headless, + match: grep, + pauseOnError, + }); + + await syntheticsRunner.setup(); + + const fixturesDir = path.join(__dirname, '../e2e/fixtures/'); + + await syntheticsRunner.loadTestData(fixturesDir, [ + 'rum_8.0.0', + 'rum_test_data', + ]); + await syntheticsRunner.loadTestFiles(async () => { + require('./journeys'); + }); + await syntheticsRunner.run(); + }, + }; +} + +// eslint-disable-next-line import/no-default-export +export default runE2ETests; diff --git a/x-pack/plugins/ux/e2e/tsconfig.json b/x-pack/plugins/ux/e2e/tsconfig.json new file mode 100644 index 0000000000000..0ebca1d2f9e48 --- /dev/null +++ b/x-pack/plugins/ux/e2e/tsconfig.json @@ -0,0 +1,20 @@ +{ + "extends": "../../../../tsconfig.base.json", + "exclude": ["tmp", "target/**/*"], + "include": ["./**/*"], + "compilerOptions": { + "outDir": "target/types", + "types": [ "node"], + }, + "references": [ + { + "path": "../../apm/tsconfig.json", + }, + { + "path": "../../synthetics/e2e/tsconfig.json", + }, + { + "path": "../tsconfig.json", + } + ] +} diff --git a/x-pack/plugins/ux/public/components/app/rum_dashboard/local_uifilters/selected_filters.tsx b/x-pack/plugins/ux/public/components/app/rum_dashboard/local_uifilters/selected_filters.tsx index 296ef32ca5b8c..776830fd10a7c 100644 --- a/x-pack/plugins/ux/public/components/app/rum_dashboard/local_uifilters/selected_filters.tsx +++ b/x-pack/plugins/ux/public/components/app/rum_dashboard/local_uifilters/selected_filters.tsx @@ -10,14 +10,14 @@ import { EuiButtonEmpty, EuiFlexGroup, EuiFlexItem } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; import styled from 'styled-components'; import { FilterValueLabel } from '@kbn/observability-plugin/public'; -import { IndexPattern } from '@kbn/data-plugin/common'; +import type { DataView } from '@kbn/data-views-plugin/public'; import { useLegacyUrlParams } from '../../../../context/url_params_context/use_url_params'; import { FiltersUIHook } from '../hooks/use_local_uifilters'; import { SelectedWildcards } from './selected_wildcards'; import { UxLocalUIFilterName } from '../../../../../common/ux_ui_filter'; interface Props { - indexPattern?: IndexPattern; + indexPattern?: DataView; filters: FiltersUIHook['filters']; invertFilter: FiltersUIHook['invertFilter']; onChange: (name: UxLocalUIFilterName, values: string[]) => void; diff --git a/x-pack/plugins/ux/public/components/app/rum_dashboard/local_uifilters/selected_wildcards.tsx b/x-pack/plugins/ux/public/components/app/rum_dashboard/local_uifilters/selected_wildcards.tsx index dd6e7f16f7ec8..782a0b9a1b517 100644 --- a/x-pack/plugins/ux/public/components/app/rum_dashboard/local_uifilters/selected_wildcards.tsx +++ b/x-pack/plugins/ux/public/components/app/rum_dashboard/local_uifilters/selected_wildcards.tsx @@ -13,12 +13,12 @@ import { fromQuery, toQuery, } from '@kbn/observability-plugin/public'; -import { IndexPattern } from '@kbn/data-views-plugin/common'; +import type { DataView } from '@kbn/data-views-plugin/public'; import { useLegacyUrlParams } from '../../../../context/url_params_context/use_url_params'; import { TRANSACTION_URL } from '../../../../../common/elasticsearch_fieldnames'; interface Props { - indexPattern: IndexPattern; + indexPattern: DataView; } export function SelectedWildcards({ indexPattern }: Props) { const history = useHistory(); diff --git a/x-pack/plugins/ux/public/components/app/rum_dashboard/panels/web_application_select.tsx b/x-pack/plugins/ux/public/components/app/rum_dashboard/panels/web_application_select.tsx index 1eca5840b546c..1bdd3da7a2cc2 100644 --- a/x-pack/plugins/ux/public/components/app/rum_dashboard/panels/web_application_select.tsx +++ b/x-pack/plugins/ux/public/components/app/rum_dashboard/panels/web_application_select.tsx @@ -6,20 +6,12 @@ */ import React from 'react'; -import datemath from '@kbn/datemath'; import { useEsSearch } from '@kbn/observability-plugin/public'; import { serviceNameQuery } from '../../../../services/data/service_name_query'; import { ServiceNameFilter } from '../url_filter/service_name_filter'; import { useLegacyUrlParams } from '../../../../context/url_params_context/use_url_params'; import { useDataView } from '../local_uifilters/use_data_view'; - -function callDateMath(value: unknown): number { - const DEFAULT_RETURN_VALUE = 0; - if (typeof value === 'string') { - return datemath.parse(value)?.valueOf() ?? DEFAULT_RETURN_VALUE; - } - return DEFAULT_RETURN_VALUE; -} +import { callDateMath } from '../../../../services/data/call_date_math'; export function WebApplicationSelect() { const { @@ -42,6 +34,9 @@ export function WebApplicationSelect() { data?.aggregations?.services?.buckets.map(({ key }) => key as string) ?? []; return ( - + ); } diff --git a/x-pack/plugins/ux/public/components/app/rum_dashboard/url_filter/url_search/index.tsx b/x-pack/plugins/ux/public/components/app/rum_dashboard/url_filter/url_search/index.tsx index 761724340662c..8493455fcff97 100644 --- a/x-pack/plugins/ux/public/components/app/rum_dashboard/url_filter/url_search/index.tsx +++ b/x-pack/plugins/ux/public/components/app/rum_dashboard/url_filter/url_search/index.tsx @@ -103,7 +103,7 @@ export function URLSearch({ const [items, setItems] = useState([]); - const { data, status } = useUrlSearch({ query: searchValue, popoverIsOpen }); + const { data, loading } = useUrlSearch({ query: searchValue, popoverIsOpen }); useEffect(() => { const newItems = formatOptions( @@ -151,8 +151,6 @@ export function URLSearch({ setSearchValue(val); }; - const isLoading = status !== 'success'; - const onApply = () => { const { includedItems, excludedItems } = processItems(items); @@ -184,7 +182,7 @@ export function URLSearch({ return ( { [query] ); - return useFetcher( - (callApmApi) => { - if (uxQuery && popoverIsOpen) { - return callApmApi('GET /internal/apm/ux/url-search', { - params: { - query: { - ...uxQuery, - uiFilters: JSON.stringify(restFilters), - urlQuery: searchValue, - }, - }, - }); - } - return Promise.resolve(null); + const { dataViewTitle } = useDataView(); + const { data: asyncSearchResult, loading } = useEsSearch( + { + // when `index` is undefined, the hook will not send a request, + // so we pass this to ensure the search values load lazily + index: uxQuery && popoverIsOpen ? dataViewTitle : undefined, + ...urlSearchQuery(restFilters, uxQuery, searchValue), }, - // eslint-disable-next-line react-hooks/exhaustive-deps - [uxQuery, searchValue, popoverIsOpen] + [dataViewTitle, popoverIsOpen, uxQuery, searchValue], + { name: 'UX_URL_SEARCH' } ); + + const data = useMemo(() => { + if (!asyncSearchResult) return asyncSearchResult; + const { urls, totalUrls } = asyncSearchResult.aggregations ?? {}; + + const pkey = Number(uxQuery?.percentile ?? 0).toFixed(1); + + return { + total: totalUrls?.value || 0, + items: (urls?.buckets ?? []).map((bucket) => ({ + url: bucket.key as string, + count: bucket.doc_count, + pld: bucket.medianPLD.values[pkey] ?? 0, + })), + }; + }, [asyncSearchResult, uxQuery?.percentile]); + + return { data, loading }; }; diff --git a/x-pack/plugins/ux/public/services/data/call_date_math.ts b/x-pack/plugins/ux/public/services/data/call_date_math.ts new file mode 100644 index 0000000000000..76df29f6c1ff5 --- /dev/null +++ b/x-pack/plugins/ux/public/services/data/call_date_math.ts @@ -0,0 +1,16 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import datemath from '@kbn/datemath'; + +export function callDateMath(value: unknown): number { + const DEFAULT_RETURN_VALUE = 0; + if (typeof value === 'string') { + return datemath.parse(value)?.valueOf() ?? DEFAULT_RETURN_VALUE; + } + return DEFAULT_RETURN_VALUE; +} diff --git a/x-pack/plugins/apm/server/routes/rum_client/get_url_search.ts b/x-pack/plugins/ux/public/services/data/url_search_query.ts similarity index 50% rename from x-pack/plugins/apm/server/routes/rum_client/get_url_search.ts rename to x-pack/plugins/ux/public/services/data/url_search_query.ts index 0ffb836402f61..aa162e9174c01 100644 --- a/x-pack/plugins/apm/server/routes/rum_client/get_url_search.ts +++ b/x-pack/plugins/ux/public/services/data/url_search_query.ts @@ -5,34 +5,28 @@ * 2.0. */ -import { mergeProjection } from '../../projections/util/merge_projection'; -import { SetupUX } from './route'; -import { getRumPageLoadTransactionsProjection } from '../../projections/rum_page_load_transactions'; import { TRANSACTION_DURATION, TRANSACTION_URL, } from '../../../common/elasticsearch_fieldnames'; +import { SetupUX } from '../../../typings/ui_filters'; +import { getRumPageLoadTransactionsProjection } from './projections'; +import { callDateMath } from './call_date_math'; +import { mergeProjection } from '../../../common/utils/merge_projection'; -export async function getUrlSearch({ - setup, - urlQuery, - percentile, - start, - end, -}: { - setup: SetupUX; - urlQuery?: string; - percentile: number; - start: number; - end: number; -}) { +export function urlSearchQuery( + restFilters: any, + uxQuery: any, + searchValue: string +) { + const setup: SetupUX = { uiFilters: restFilters ? restFilters : {} }; const projection = getRumPageLoadTransactionsProjection({ setup, - urlQuery, - start, - end, + urlQuery: searchValue, + ...uxQuery, + start: callDateMath(uxQuery?.start), + end: callDateMath(uxQuery?.end), }); - const params = mergeProjection(projection, { body: { size: 0, @@ -51,7 +45,7 @@ export async function getUrlSearch({ medianPLD: { percentiles: { field: TRANSACTION_DURATION, - percents: [percentile], + percents: [Number(uxQuery?.percentile)], }, }, }, @@ -59,20 +53,6 @@ export async function getUrlSearch({ }, }, }); - - const { apmEventClient } = setup; - - const response = await apmEventClient.search('get_url_search', params); - const { urls, totalUrls } = response.aggregations ?? {}; - - const pkey = percentile.toFixed(1); - - return { - total: totalUrls?.value || 0, - items: (urls?.buckets ?? []).map((bucket) => ({ - url: bucket.key as string, - count: bucket.doc_count, - pld: bucket.medianPLD.values[pkey] ?? 0, - })), - }; + const { apm: _apm, ...rest } = params; + return rest; } diff --git a/x-pack/plugins/ux/scripts/e2e.js b/x-pack/plugins/ux/scripts/e2e.js new file mode 100644 index 0000000000000..4e03964856a66 --- /dev/null +++ b/x-pack/plugins/ux/scripts/e2e.js @@ -0,0 +1,20 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +/* eslint-disable no-console */ +/* eslint-disable @kbn/imports/uniform_imports */ + +const { + executeSyntheticsRunner, +} = require('../../synthetics/scripts/base_e2e'); +const path = require('path'); + +const e2eDir = path.join(__dirname, '../e2e'); + +console.log(e2eDir); + +executeSyntheticsRunner(e2eDir); diff --git a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/builtin_alert_types/es_query/alert.ts b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/builtin_alert_types/es_query/alert.ts index cf2cb8c6b0f1c..274c3f06b5d36 100644 --- a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/builtin_alert_types/es_query/alert.ts +++ b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/builtin_alert_types/es_query/alert.ts @@ -24,7 +24,7 @@ const ES_TEST_INDEX_REFERENCE = '-na-'; const ES_TEST_OUTPUT_INDEX_NAME = `${ES_TEST_INDEX_NAME}-output`; const ALERT_INTERVALS_TO_WRITE = 5; -const ALERT_INTERVAL_SECONDS = 3; +const ALERT_INTERVAL_SECONDS = 4; const ALERT_INTERVAL_MILLIS = ALERT_INTERVAL_SECONDS * 1000; const ES_GROUPS_TO_WRITE = 3; @@ -37,8 +37,7 @@ export default function alertTests({ getService }: FtrProviderContext) { const esTestIndexTool = new ESTestIndexTool(es, retry); const esTestIndexToolOutput = new ESTestIndexTool(es, retry, ES_TEST_OUTPUT_INDEX_NAME); - // FLAKY: https://github.com/elastic/kibana/issues/129380 - describe.skip('alert', async () => { + describe('alert', async () => { let endDate: string; let actionId: string; const objectRemover = new ObjectRemover(supertest); @@ -138,7 +137,7 @@ export default function alertTests({ getService }: FtrProviderContext) { expect(name).to.be('always fire'); expect(title).to.be(`alert 'always fire' matched query`); const messagePattern = - /alert 'always fire' is active:\n\n- Value: \d+\n- Conditions Met: Number of matching documents is greater than -1 over 15s\n- Timestamp: \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z/; + /alert 'always fire' is active:\n\n- Value: \d+\n- Conditions Met: Number of matching documents is greater than -1 over 20s\n- Timestamp: \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z/; expect(message).to.match(messagePattern); expect(hits).not.to.be.empty(); @@ -230,7 +229,7 @@ export default function alertTests({ getService }: FtrProviderContext) { expect(name).to.be('always fire'); expect(title).to.be(`alert 'always fire' matched query`); const messagePattern = - /alert 'always fire' is active:\n\n- Value: \d+\n- Conditions Met: Number of matching documents is greater than -1 over 15s\n- Timestamp: \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z/; + /alert 'always fire' is active:\n\n- Value: \d+\n- Conditions Met: Number of matching documents is greater than -1 over 20s\n- Timestamp: \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z/; expect(message).to.match(messagePattern); expect(hits).not.to.be.empty(); @@ -340,7 +339,7 @@ export default function alertTests({ getService }: FtrProviderContext) { expect(name).to.be('fires once'); expect(title).to.be(`alert 'fires once' matched query`); const messagePattern = - /alert 'fires once' is active:\n\n- Value: \d+\n- Conditions Met: Number of matching documents is greater than or equal to 0 over 15s\n- Timestamp: \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z/; + /alert 'fires once' is active:\n\n- Value: \d+\n- Conditions Met: Number of matching documents is greater than or equal to 0 over 20s\n- Timestamp: \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z/; expect(message).to.match(messagePattern); expect(hits).not.to.be.empty(); expect(previousTimestamp).to.be.empty(); @@ -400,7 +399,7 @@ export default function alertTests({ getService }: FtrProviderContext) { expect(name).to.be('always fire'); expect(title).to.be(`alert 'always fire' matched query`); const messagePattern = - /alert 'always fire' is active:\n\n- Value: 0+\n- Conditions Met: Number of matching documents is less than 1 over 15s\n- Timestamp: \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z/; + /alert 'always fire' is active:\n\n- Value: 0+\n- Conditions Met: Number of matching documents is less than 1 over 20s\n- Timestamp: \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z/; expect(message).to.match(messagePattern); expect(hits).to.be.empty(); diff --git a/x-pack/test/api_integration/apis/metrics_ui/inventory_threshold_alert.ts b/x-pack/test/api_integration/apis/metrics_ui/inventory_threshold_alert.ts index aa0c1af92f951..230ae0e134f43 100644 --- a/x-pack/test/api_integration/apis/metrics_ui/inventory_threshold_alert.ts +++ b/x-pack/test/api_integration/apis/metrics_ui/inventory_threshold_alert.ts @@ -172,6 +172,46 @@ export default function ({ getService }: FtrProviderContext) { }, }); }); + it('should work with a long threshold', async () => { + const results = await evaluateCondition({ + ...baseOptions, + condition: { + ...baseCondition, + metric: 'rx', + threshold: [107374182400], + comparator: Comparator.LT, + }, + esClient, + }); + expect(results).to.eql({ + 'host-0': { + metric: 'rx', + timeSize: 1, + timeUnit: 'm', + sourceId: 'default', + threshold: [107374182400], + comparator: '<', + shouldFire: true, + shouldWarn: false, + isNoData: false, + isError: false, + currentValue: 1666.6666666666667, + }, + 'host-1': { + metric: 'rx', + timeSize: 1, + timeUnit: 'm', + sourceId: 'default', + threshold: [107374182400], + comparator: '<', + shouldFire: true, + shouldWarn: false, + isNoData: false, + isError: false, + currentValue: 2000, + }, + }); + }); it('should work FOR LAST 5 minute', async () => { const options = { ...baseOptions, diff --git a/x-pack/test/api_integration/apis/metrics_ui/metric_threshold_alert.ts b/x-pack/test/api_integration/apis/metrics_ui/metric_threshold_alert.ts index 64b2b5211a1bf..5d6f38b368f2e 100644 --- a/x-pack/test/api_integration/apis/metrics_ui/metric_threshold_alert.ts +++ b/x-pack/test/api_integration/apis/metrics_ui/metric_threshold_alert.ts @@ -768,6 +768,49 @@ export default function ({ getService }: FtrProviderContext) { describe('with rate data', () => { before(() => esArchiver.load('x-pack/test/functional/es_archives/infra/alerts_test_data')); after(() => esArchiver.unload('x-pack/test/functional/es_archives/infra/alerts_test_data')); + it('should alert on rate with long threshold', async () => { + const params = { + ...baseParams, + criteria: [ + { + timeSize: 1, + timeUnit: 'm', + threshold: [107374182400], + comparator: Comparator.LT_OR_EQ, + aggType: Aggregators.RATE, + metric: 'value', + } as NonCountMetricExpressionParams, + ], + }; + const timeFrame = { end: rate.max }; + const results = await evaluateRule( + esClient, + params, + configuration, + 10000, + true, + logger, + void 0, + timeFrame + ); + expect(results).to.eql([ + { + '*': { + timeSize: 1, + timeUnit: 'm', + threshold: [107374182400], + comparator: '<=', + aggType: 'rate', + metric: 'value', + currentValue: 0.6666666666666666, + timestamp: '2021-01-02T00:05:00.000Z', + shouldFire: true, + shouldWarn: false, + isNoData: false, + }, + }, + ]); + }); describe('without groupBy', () => { it('should alert on rate', async () => { const params = { diff --git a/x-pack/test/api_integration/apis/security_solution/network_details.ts b/x-pack/test/api_integration/apis/security_solution/network_details.ts index c1cbcb6469d9f..40ea8906661bd 100644 --- a/x-pack/test/api_integration/apis/security_solution/network_details.ts +++ b/x-pack/test/api_integration/apis/security_solution/network_details.ts @@ -34,14 +34,13 @@ export default function ({ getService }: FtrProviderContext) { ip: '151.205.0.17', defaultIndex: ['filebeat-*'], factoryQueryType: NetworkQueries.details, - docValueFields: [], inspect: false, }, strategy: 'securitySolutionSearchStrategy', }); - expect(body.networkDetails.source?.geo.continent_name).to.be('North America'); - expect(body.networkDetails.source?.geo.location?.lat!).to.be(37.751); + expect(body.networkDetails.source?.geo.continent_name).to.eql(['North America']); + expect(body.networkDetails.source?.geo.location?.lat!).to.eql([37.751]); expect(body.networkDetails.host?.os?.platform).to.eql(['raspbian']); }); }); @@ -61,7 +60,6 @@ export default function ({ getService }: FtrProviderContext) { ip: '185.53.91.88', defaultIndex: ['packetbeat-*'], factoryQueryType: NetworkQueries.details, - docValueFields: [], inspect: false, }, strategy: 'securitySolutionSearchStrategy', diff --git a/x-pack/test/api_integration/apis/uptime/rest/fixtures/browser_monitor.json b/x-pack/test/api_integration/apis/uptime/rest/fixtures/browser_monitor.json index 554f95ffd4587..5cc0d2bca4179 100644 --- a/x-pack/test/api_integration/apis/uptime/rest/fixtures/browser_monitor.json +++ b/x-pack/test/api_integration/apis/uptime/rest/fixtures/browser_monitor.json @@ -43,5 +43,5 @@ "locations": [], "name": "Test HTTP Monitor 03", "namespace": "testnamespace", - "monitor.origin": "ui" + "origin": "ui" } diff --git a/x-pack/test/api_integration/apis/uptime/rest/fixtures/http_monitor.json b/x-pack/test/api_integration/apis/uptime/rest/fixtures/http_monitor.json index a91630c9acee4..78f77bc53b095 100644 --- a/x-pack/test/api_integration/apis/uptime/rest/fixtures/http_monitor.json +++ b/x-pack/test/api_integration/apis/uptime/rest/fixtures/http_monitor.json @@ -61,5 +61,5 @@ }], "namespace": "testnamespace", "revision": 1, - "monitor.origin": "ui" + "origin": "ui" } diff --git a/x-pack/test/api_integration/apis/uptime/rest/fixtures/icmp_monitor.json b/x-pack/test/api_integration/apis/uptime/rest/fixtures/icmp_monitor.json index 80286677c0697..29af9c7bf510b 100644 --- a/x-pack/test/api_integration/apis/uptime/rest/fixtures/icmp_monitor.json +++ b/x-pack/test/api_integration/apis/uptime/rest/fixtures/icmp_monitor.json @@ -33,5 +33,5 @@ ], "name": "Test HTTP Monitor 04", "namespace": "testnamespace", - "monitor.origin": "ui" + "origin": "ui" } diff --git a/x-pack/test/api_integration/apis/uptime/rest/fixtures/tcp_monitor.json b/x-pack/test/api_integration/apis/uptime/rest/fixtures/tcp_monitor.json index d5ac3b4721d48..5795f3f35df49 100644 --- a/x-pack/test/api_integration/apis/uptime/rest/fixtures/tcp_monitor.json +++ b/x-pack/test/api_integration/apis/uptime/rest/fixtures/tcp_monitor.json @@ -29,5 +29,5 @@ ], "name": "Test HTTP Monitor 04", "namespace": "testnamespace", - "monitor.origin": "ui" + "origin": "ui" } diff --git a/x-pack/test/apm_api_integration/tests/csm/url_search.spec.ts b/x-pack/test/apm_api_integration/tests/csm/url_search.spec.ts deleted file mode 100644 index 89e56face9343..0000000000000 --- a/x-pack/test/apm_api_integration/tests/csm/url_search.spec.ts +++ /dev/null @@ -1,93 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import expect from '@kbn/expect'; -import { FtrProviderContext } from '../../common/ftr_provider_context'; - -export default function rumServicesApiTests({ getService }: FtrProviderContext) { - const registry = getService('registry'); - const supertest = getService('legacySupertestAsApmReadUser'); - - registry.when('CSM url search api without data', { config: 'trial', archives: [] }, () => { - it('returns empty list', async () => { - const response = await supertest.get('/internal/apm/ux/url-search').query({ - start: '2020-09-07T20:35:54.654Z', - end: '2020-09-14T20:35:54.654Z', - uiFilters: '{"serviceName":["elastic-co-rum-test"]}', - percentile: 50, - }); - - expect(response.status).to.be(200); - expectSnapshot(response.body).toMatchInline(` - Object { - "items": Array [], - "total": 0, - } - `); - }); - }); - - registry.when( - 'CSM url search api with data', - { config: 'trial', archives: ['8.0.0', 'rum_8.0.0'] }, - () => { - it('returns top urls when no query', async () => { - const response = await supertest.get('/internal/apm/ux/url-search').query({ - start: '2020-09-07T20:35:54.654Z', - end: '2020-09-16T20:35:54.654Z', - uiFilters: '{"serviceName":["kibana-frontend-8_0_0"]}', - percentile: 50, - }); - - expect(response.status).to.be(200); - - expectSnapshot(response.body).toMatchInline(` - Object { - "items": Array [ - Object { - "count": 5, - "pld": 4924000, - "url": "http://localhost:5601/nfw/app/csm?rangeFrom=now-15m&rangeTo=now&serviceName=kibana-frontend-8_0_0", - }, - Object { - "count": 1, - "pld": 2760000, - "url": "http://localhost:5601/nfw/app/home", - }, - ], - "total": 2, - } - `); - }); - - it('returns specific results against query', async () => { - const response = await supertest.get('/internal/apm/ux/url-search').query({ - start: '2020-09-07T20:35:54.654Z', - end: '2020-09-16T20:35:54.654Z', - uiFilters: '{"serviceName":["kibana-frontend-8_0_0"]}', - urlQuery: 'csm', - percentile: 50, - }); - - expect(response.status).to.be(200); - - expectSnapshot(response.body).toMatchInline(` - Object { - "items": Array [ - Object { - "count": 5, - "pld": 4924000, - "url": "http://localhost:5601/nfw/app/csm?rangeFrom=now-15m&rangeTo=now&serviceName=kibana-frontend-8_0_0", - }, - ], - "total": 1, - } - `); - }); - } - ); -} diff --git a/x-pack/test/cases_api_integration/spaces_only/tests/common/alerts/get_cases.ts b/x-pack/test/cases_api_integration/spaces_only/tests/common/alerts/get_cases.ts index 739f8e5ec0892..691d132aa1ede 100644 --- a/x-pack/test/cases_api_integration/spaces_only/tests/common/alerts/get_cases.ts +++ b/x-pack/test/cases_api_integration/spaces_only/tests/common/alerts/get_cases.ts @@ -20,7 +20,7 @@ import { validateCasesFromAlertIDResponse } from '../../../../common/lib/validat // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext): void => { - const supertest = getService('supertest'); + const supertestWithoutAuth = getService('supertestWithoutAuth'); const es = getService('es'); const authSpace1 = getAuthWithSuperUser(); const authSpace2 = getAuthWithSuperUser('space2'); @@ -32,26 +32,26 @@ export default ({ getService }: FtrProviderContext): void => { it('should return all cases with the same alert ID attached to them in space1', async () => { const [case1, case2, case3] = await Promise.all([ - createCase(supertest, getPostCaseRequest(), 200, authSpace1), - createCase(supertest, getPostCaseRequest(), 200, authSpace1), - createCase(supertest, getPostCaseRequest(), 200, authSpace1), + createCase(supertestWithoutAuth, getPostCaseRequest(), 200, authSpace1), + createCase(supertestWithoutAuth, getPostCaseRequest(), 200, authSpace1), + createCase(supertestWithoutAuth, getPostCaseRequest(), 200, authSpace1), ]); await Promise.all([ createComment({ - supertest, + supertest: supertestWithoutAuth, caseId: case1.id, params: postCommentAlertReq, auth: authSpace1, }), createComment({ - supertest, + supertest: supertestWithoutAuth, caseId: case2.id, params: postCommentAlertReq, auth: authSpace1, }), createComment({ - supertest, + supertest: supertestWithoutAuth, caseId: case3.id, params: postCommentAlertReq, auth: authSpace1, @@ -59,7 +59,7 @@ export default ({ getService }: FtrProviderContext): void => { ]); const cases = await getCasesByAlert({ - supertest, + supertest: supertestWithoutAuth, alertID: 'test-id', auth: authSpace1, }); @@ -70,26 +70,26 @@ export default ({ getService }: FtrProviderContext): void => { it('should return 1 case in space2 when 2 cases were created in space1 and 1 in space2', async () => { const [case1, case2, case3] = await Promise.all([ - createCase(supertest, getPostCaseRequest(), 200, authSpace1), - createCase(supertest, getPostCaseRequest(), 200, authSpace1), - createCase(supertest, getPostCaseRequest(), 200, authSpace2), + createCase(supertestWithoutAuth, getPostCaseRequest(), 200, authSpace1), + createCase(supertestWithoutAuth, getPostCaseRequest(), 200, authSpace1), + createCase(supertestWithoutAuth, getPostCaseRequest(), 200, authSpace2), ]); await Promise.all([ createComment({ - supertest, + supertest: supertestWithoutAuth, caseId: case1.id, params: postCommentAlertReq, auth: authSpace1, }), createComment({ - supertest, + supertest: supertestWithoutAuth, caseId: case2.id, params: postCommentAlertReq, auth: authSpace1, }), createComment({ - supertest, + supertest: supertestWithoutAuth, caseId: case3.id, params: postCommentAlertReq, auth: authSpace2, @@ -97,7 +97,7 @@ export default ({ getService }: FtrProviderContext): void => { ]); const casesByAlert = await getCasesByAlert({ - supertest, + supertest: supertestWithoutAuth, alertID: 'test-id', auth: authSpace2, }); diff --git a/x-pack/test/cases_api_integration/spaces_only/tests/common/cases/delete_cases.ts b/x-pack/test/cases_api_integration/spaces_only/tests/common/cases/delete_cases.ts index 9de57a1b7abe2..d94cea06e5713 100644 --- a/x-pack/test/cases_api_integration/spaces_only/tests/common/cases/delete_cases.ts +++ b/x-pack/test/cases_api_integration/spaces_only/tests/common/cases/delete_cases.ts @@ -19,7 +19,7 @@ import { // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext): void => { - const supertest = getService('supertest'); + const supertestWithoutAuth = getService('supertestWithoutAuth'); const es = getService('es'); const authSpace1 = getAuthWithSuperUser(); @@ -29,24 +29,47 @@ export default ({ getService }: FtrProviderContext): void => { }); it('should delete a case in space1', async () => { - const postedCase = await createCase(supertest, getPostCaseRequest(), 200, authSpace1); - const body = await deleteCases({ supertest, caseIDs: [postedCase.id], auth: authSpace1 }); + const postedCase = await createCase( + supertestWithoutAuth, + getPostCaseRequest(), + 200, + authSpace1 + ); + const body = await deleteCases({ + supertest: supertestWithoutAuth, + caseIDs: [postedCase.id], + auth: authSpace1, + }); - await getCase({ supertest, caseId: postedCase.id, expectedHttpCode: 404, auth: authSpace1 }); + await getCase({ + supertest: supertestWithoutAuth, + caseId: postedCase.id, + expectedHttpCode: 404, + auth: authSpace1, + }); expect(body).to.eql({}); }); it('should not delete a case in a different space', async () => { - const postedCase = await createCase(supertest, getPostCaseRequest(), 200, authSpace1); + const postedCase = await createCase( + supertestWithoutAuth, + getPostCaseRequest(), + 200, + authSpace1 + ); await deleteCases({ - supertest, + supertest: supertestWithoutAuth, caseIDs: [postedCase.id], auth: getAuthWithSuperUser('space2'), expectedHttpCode: 404, }); // the case should still be there - const caseInfo = await getCase({ supertest, caseId: postedCase.id, auth: authSpace1 }); + const caseInfo = await getCase({ + supertest: supertestWithoutAuth, + caseId: postedCase.id, + auth: authSpace1, + }); expect(caseInfo.id).to.eql(postedCase.id); }); }); diff --git a/x-pack/test/cases_api_integration/spaces_only/tests/common/cases/find_cases.ts b/x-pack/test/cases_api_integration/spaces_only/tests/common/cases/find_cases.ts index 6513fe25b28e9..723e2330bdd93 100644 --- a/x-pack/test/cases_api_integration/spaces_only/tests/common/cases/find_cases.ts +++ b/x-pack/test/cases_api_integration/spaces_only/tests/common/cases/find_cases.ts @@ -18,7 +18,7 @@ import { // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext): void => { - const supertest = getService('supertest'); + const supertestWithoutAuth = getService('supertestWithoutAuth'); const es = getService('es'); const authSpace1 = getAuthWithSuperUser(); @@ -28,11 +28,11 @@ export default ({ getService }: FtrProviderContext): void => { }); it('should return 3 cases in space1', async () => { - const a = await createCase(supertest, postCaseReq, 200, authSpace1); - const b = await createCase(supertest, postCaseReq, 200, authSpace1); - const c = await createCase(supertest, postCaseReq, 200, authSpace1); + const a = await createCase(supertestWithoutAuth, postCaseReq, 200, authSpace1); + const b = await createCase(supertestWithoutAuth, postCaseReq, 200, authSpace1); + const c = await createCase(supertestWithoutAuth, postCaseReq, 200, authSpace1); - const cases = await findCases({ supertest, auth: authSpace1 }); + const cases = await findCases({ supertest: supertestWithoutAuth, auth: authSpace1 }); expect(cases).to.eql({ ...findCasesResp, @@ -45,12 +45,12 @@ export default ({ getService }: FtrProviderContext): void => { it('should return 1 case in space2 when 2 cases were created in space1 and 1 in space2', async () => { const authSpace2 = getAuthWithSuperUser('space2'); const [, , space2Case] = await Promise.all([ - createCase(supertest, postCaseReq, 200, authSpace1), - createCase(supertest, postCaseReq, 200, authSpace1), - createCase(supertest, postCaseReq, 200, authSpace2), + createCase(supertestWithoutAuth, postCaseReq, 200, authSpace1), + createCase(supertestWithoutAuth, postCaseReq, 200, authSpace1), + createCase(supertestWithoutAuth, postCaseReq, 200, authSpace2), ]); - const cases = await findCases({ supertest, auth: authSpace2 }); + const cases = await findCases({ supertest: supertestWithoutAuth, auth: authSpace2 }); expect(cases).to.eql({ ...findCasesResp, diff --git a/x-pack/test/cases_api_integration/spaces_only/tests/common/cases/get_case.ts b/x-pack/test/cases_api_integration/spaces_only/tests/common/cases/get_case.ts index 3ea6fac3772ed..0df628f93b28b 100644 --- a/x-pack/test/cases_api_integration/spaces_only/tests/common/cases/get_case.ts +++ b/x-pack/test/cases_api_integration/spaces_only/tests/common/cases/get_case.ts @@ -19,7 +19,7 @@ import { // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext): void => { - const supertest = getService('supertest'); + const supertestWithoutAuth = getService('supertestWithoutAuth'); const es = getService('es'); const authSpace1 = getAuthWithSuperUser(); @@ -29,17 +29,31 @@ export default ({ getService }: FtrProviderContext): void => { }); it('should return a case in space1', async () => { - const postedCase = await createCase(supertest, getPostCaseRequest(), 200, authSpace1); - const theCase = await getCase({ supertest, caseId: postedCase.id, auth: authSpace1 }); + const postedCase = await createCase( + supertestWithoutAuth, + getPostCaseRequest(), + 200, + authSpace1 + ); + const theCase = await getCase({ + supertest: supertestWithoutAuth, + caseId: postedCase.id, + auth: authSpace1, + }); const data = removeServerGeneratedPropertiesFromCase(theCase); expect(data).to.eql({ ...postCaseResp(), created_by: nullUser }); }); it('should not return a case in the wrong space', async () => { - const postedCase = await createCase(supertest, getPostCaseRequest(), 200, authSpace1); + const postedCase = await createCase( + supertestWithoutAuth, + getPostCaseRequest(), + 200, + authSpace1 + ); await getCase({ - supertest, + supertest: supertestWithoutAuth, caseId: postedCase.id, auth: getAuthWithSuperUser('space2'), expectedHttpCode: 404, diff --git a/x-pack/test/cases_api_integration/spaces_only/tests/common/cases/patch_cases.ts b/x-pack/test/cases_api_integration/spaces_only/tests/common/cases/patch_cases.ts index 361358dc40604..ccf22279ec197 100644 --- a/x-pack/test/cases_api_integration/spaces_only/tests/common/cases/patch_cases.ts +++ b/x-pack/test/cases_api_integration/spaces_only/tests/common/cases/patch_cases.ts @@ -19,7 +19,7 @@ import { // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext): void => { - const supertest = getService('supertest'); + const supertestWithoutAuth = getService('supertestWithoutAuth'); const es = getService('es'); const authSpace1 = getAuthWithSuperUser(); @@ -29,9 +29,9 @@ export default ({ getService }: FtrProviderContext): void => { }); it('should patch a case in space1', async () => { - const postedCase = await createCase(supertest, postCaseReq, 200, authSpace1); + const postedCase = await createCase(supertestWithoutAuth, postCaseReq, 200, authSpace1); const patchedCases = await updateCase({ - supertest, + supertest: supertestWithoutAuth, params: { cases: [ { @@ -54,9 +54,9 @@ export default ({ getService }: FtrProviderContext): void => { }); it('should not patch a case in a different space', async () => { - const postedCase = await createCase(supertest, postCaseReq, 200, authSpace1); + const postedCase = await createCase(supertestWithoutAuth, postCaseReq, 200, authSpace1); await updateCase({ - supertest, + supertest: supertestWithoutAuth, params: { cases: [ { diff --git a/x-pack/test/cases_api_integration/spaces_only/tests/common/cases/post_case.ts b/x-pack/test/cases_api_integration/spaces_only/tests/common/cases/post_case.ts index 4ac0573428445..f78816dd7ba1d 100644 --- a/x-pack/test/cases_api_integration/spaces_only/tests/common/cases/post_case.ts +++ b/x-pack/test/cases_api_integration/spaces_only/tests/common/cases/post_case.ts @@ -20,7 +20,7 @@ import { FtrProviderContext } from '../../../../common/ftr_provider_context'; // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext): void => { - const supertest = getService('supertest'); + const supertestWithoutAuth = getService('supertestWithoutAuth'); const es = getService('es'); const authSpace1 = getAuthWithSuperUser(); @@ -31,7 +31,7 @@ export default ({ getService }: FtrProviderContext): void => { it('should post a case in space1', async () => { const postedCase = await createCase( - supertest, + supertestWithoutAuth, getPostCaseRequest({ connector: { id: '123', diff --git a/x-pack/test/cases_api_integration/spaces_only/tests/common/cases/reporters/get_reporters.ts b/x-pack/test/cases_api_integration/spaces_only/tests/common/cases/reporters/get_reporters.ts index d3c3176f4649f..983983f5d3b3e 100644 --- a/x-pack/test/cases_api_integration/spaces_only/tests/common/cases/reporters/get_reporters.ts +++ b/x-pack/test/cases_api_integration/spaces_only/tests/common/cases/reporters/get_reporters.ts @@ -18,7 +18,7 @@ import { // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext): void => { - const supertest = getService('supertest'); + const supertestWithoutAuth = getService('supertestWithoutAuth'); const es = getService('es'); const authSpace1 = getAuthWithSuperUser(); const authSpace2 = getAuthWithSuperUser('space2'); @@ -30,13 +30,16 @@ export default ({ getService }: FtrProviderContext): void => { it('should not return reporters when security is disabled', async () => { await Promise.all([ - createCase(supertest, getPostCaseRequest(), 200, authSpace2), - createCase(supertest, getPostCaseRequest(), 200, authSpace1), + createCase(supertestWithoutAuth, getPostCaseRequest(), 200, authSpace2), + createCase(supertestWithoutAuth, getPostCaseRequest(), 200, authSpace1), ]); - const reportersSpace1 = await getReporters({ supertest, auth: authSpace1 }); + const reportersSpace1 = await getReporters({ + supertest: supertestWithoutAuth, + auth: authSpace1, + }); const reportersSpace2 = await getReporters({ - supertest, + supertest: supertestWithoutAuth, auth: authSpace2, }); diff --git a/x-pack/test/cases_api_integration/spaces_only/tests/common/cases/status/get_status.ts b/x-pack/test/cases_api_integration/spaces_only/tests/common/cases/status/get_status.ts index c4e46675e7549..b48543d3699f6 100644 --- a/x-pack/test/cases_api_integration/spaces_only/tests/common/cases/status/get_status.ts +++ b/x-pack/test/cases_api_integration/spaces_only/tests/common/cases/status/get_status.ts @@ -20,7 +20,7 @@ import { // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext): void => { - const supertest = getService('supertest'); + const supertestWithoutAuth = getService('supertestWithoutAuth'); const es = getService('es'); const authSpace1 = getAuthWithSuperUser(); const authSpace2 = getAuthWithSuperUser('space2'); @@ -40,13 +40,13 @@ export default ({ getService }: FtrProviderContext): void => { * closed: 1 */ const [, inProgressCase, postedCase] = await Promise.all([ - createCase(supertest, postCaseReq, 200, authSpace1), - createCase(supertest, postCaseReq, 200, authSpace1), - createCase(supertest, postCaseReq, 200, authSpace2), + createCase(supertestWithoutAuth, postCaseReq, 200, authSpace1), + createCase(supertestWithoutAuth, postCaseReq, 200, authSpace1), + createCase(supertestWithoutAuth, postCaseReq, 200, authSpace2), ]); await updateCase({ - supertest, + supertest: supertestWithoutAuth, params: { cases: [ { @@ -60,7 +60,7 @@ export default ({ getService }: FtrProviderContext): void => { }); await updateCase({ - supertest, + supertest: supertestWithoutAuth, params: { cases: [ { @@ -73,8 +73,14 @@ export default ({ getService }: FtrProviderContext): void => { auth: authSpace2, }); - const statusesSpace1 = await getAllCasesStatuses({ supertest, auth: authSpace1 }); - const statusesSpace2 = await getAllCasesStatuses({ supertest, auth: authSpace2 }); + const statusesSpace1 = await getAllCasesStatuses({ + supertest: supertestWithoutAuth, + auth: authSpace1, + }); + const statusesSpace2 = await getAllCasesStatuses({ + supertest: supertestWithoutAuth, + auth: authSpace2, + }); expect(statusesSpace1).to.eql({ count_open_cases: 1, diff --git a/x-pack/test/cases_api_integration/spaces_only/tests/common/cases/tags/get_tags.ts b/x-pack/test/cases_api_integration/spaces_only/tests/common/cases/tags/get_tags.ts index 630628a13b6b9..41074cd252735 100644 --- a/x-pack/test/cases_api_integration/spaces_only/tests/common/cases/tags/get_tags.ts +++ b/x-pack/test/cases_api_integration/spaces_only/tests/common/cases/tags/get_tags.ts @@ -18,7 +18,7 @@ import { getPostCaseRequest } from '../../../../../common/lib/mock'; // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext): void => { - const supertest = getService('supertest'); + const supertestWithoutAuth = getService('supertestWithoutAuth'); const es = getService('es'); const authSpace1 = getAuthWithSuperUser(); const authSpace2 = getAuthWithSuperUser('space2'); @@ -29,11 +29,16 @@ export default ({ getService }: FtrProviderContext): void => { }); it('should return case tags in space1', async () => { - await createCase(supertest, getPostCaseRequest(), 200, authSpace1); - await createCase(supertest, getPostCaseRequest({ tags: ['unique'] }), 200, authSpace2); + await createCase(supertestWithoutAuth, getPostCaseRequest(), 200, authSpace1); + await createCase( + supertestWithoutAuth, + getPostCaseRequest({ tags: ['unique'] }), + 200, + authSpace2 + ); - const tagsSpace1 = await getTags({ supertest, auth: authSpace1 }); - const tagsSpace2 = await getTags({ supertest, auth: authSpace2 }); + const tagsSpace1 = await getTags({ supertest: supertestWithoutAuth, auth: authSpace1 }); + const tagsSpace2 = await getTags({ supertest: supertestWithoutAuth, auth: authSpace2 }); expect(tagsSpace1).to.eql(['defacement']); expect(tagsSpace2).to.eql(['unique']); diff --git a/x-pack/test/cases_api_integration/spaces_only/tests/common/comments/delete_comment.ts b/x-pack/test/cases_api_integration/spaces_only/tests/common/comments/delete_comment.ts index 7e5abeb7edc2f..e43c41809eb3a 100644 --- a/x-pack/test/cases_api_integration/spaces_only/tests/common/comments/delete_comment.ts +++ b/x-pack/test/cases_api_integration/spaces_only/tests/common/comments/delete_comment.ts @@ -21,7 +21,7 @@ import { // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext): void => { - const supertest = getService('supertest'); + const supertestWithoutAuth = getService('supertestWithoutAuth'); const es = getService('es'); const authSpace1 = getAuthWithSuperUser(); @@ -33,16 +33,16 @@ export default ({ getService }: FtrProviderContext): void => { }); it('should delete a comment from space1', async () => { - const postedCase = await createCase(supertest, postCaseReq, 200, authSpace1); + const postedCase = await createCase(supertestWithoutAuth, postCaseReq, 200, authSpace1); const patchedCase = await createComment({ - supertest, + supertest: supertestWithoutAuth, caseId: postedCase.id, params: postCommentUserReq, auth: authSpace1, }); const comment = await deleteComment({ - supertest, + supertest: supertestWithoutAuth, caseId: postedCase.id, commentId: patchedCase.comments![0].id, auth: authSpace1, @@ -52,16 +52,16 @@ export default ({ getService }: FtrProviderContext): void => { }); it('should not delete a comment from a different space', async () => { - const postedCase = await createCase(supertest, postCaseReq, 200, authSpace1); + const postedCase = await createCase(supertestWithoutAuth, postCaseReq, 200, authSpace1); const patchedCase = await createComment({ - supertest, + supertest: supertestWithoutAuth, caseId: postedCase.id, params: postCommentUserReq, auth: authSpace1, }); await deleteComment({ - supertest, + supertest: supertestWithoutAuth, caseId: postedCase.id, commentId: patchedCase.comments![0].id, expectedHttpCode: 404, diff --git a/x-pack/test/cases_api_integration/spaces_only/tests/common/comments/find_comments.ts b/x-pack/test/cases_api_integration/spaces_only/tests/common/comments/find_comments.ts index 2569d035fabb5..5bc9fd400de77 100644 --- a/x-pack/test/cases_api_integration/spaces_only/tests/common/comments/find_comments.ts +++ b/x-pack/test/cases_api_integration/spaces_only/tests/common/comments/find_comments.ts @@ -22,7 +22,7 @@ import { // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext): void => { - const supertest = getService('supertest'); + const supertestWithoutAuth = getService('supertestWithoutAuth'); const es = getService('es'); const authSpace1 = getAuthWithSuperUser(); @@ -34,22 +34,27 @@ export default ({ getService }: FtrProviderContext): void => { }); it('should find all case comments in space1', async () => { - const caseInfo = await createCase(supertest, getPostCaseRequest(), 200, authSpace1); + const caseInfo = await createCase( + supertestWithoutAuth, + getPostCaseRequest(), + 200, + authSpace1 + ); await createComment({ - supertest, + supertest: supertestWithoutAuth, caseId: caseInfo.id, params: postCommentUserReq, auth: authSpace1, }); const patchedCase = await createComment({ - supertest, + supertest: supertestWithoutAuth, caseId: caseInfo.id, params: postCommentUserReq, auth: authSpace1, }); - const { body: caseComments } = await supertest + const { body: caseComments } = await supertestWithoutAuth .get(`${getSpaceUrlPrefix(authSpace1.space)}${CASES_URL}/${caseInfo.id}/comments/_find`) .expect(200); @@ -57,22 +62,27 @@ export default ({ getService }: FtrProviderContext): void => { }); it('should not find any case comments in space2', async () => { - const caseInfo = await createCase(supertest, getPostCaseRequest(), 200, authSpace1); + const caseInfo = await createCase( + supertestWithoutAuth, + getPostCaseRequest(), + 200, + authSpace1 + ); await createComment({ - supertest, + supertest: supertestWithoutAuth, caseId: caseInfo.id, params: postCommentUserReq, auth: authSpace1, }); await createComment({ - supertest, + supertest: supertestWithoutAuth, caseId: caseInfo.id, params: postCommentUserReq, auth: authSpace1, }); - const { body: caseComments } = await supertest + const { body: caseComments } = await supertestWithoutAuth .get(`${getSpaceUrlPrefix('space2')}${CASES_URL}/${caseInfo.id}/comments/_find`) .expect(200); diff --git a/x-pack/test/cases_api_integration/spaces_only/tests/common/comments/get_all_comments.ts b/x-pack/test/cases_api_integration/spaces_only/tests/common/comments/get_all_comments.ts index ea3766b733cdc..9eba39d0a8545 100644 --- a/x-pack/test/cases_api_integration/spaces_only/tests/common/comments/get_all_comments.ts +++ b/x-pack/test/cases_api_integration/spaces_only/tests/common/comments/get_all_comments.ts @@ -19,7 +19,7 @@ import { // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext): void => { - const supertest = getService('supertest'); + const supertestWithoutAuth = getService('supertestWithoutAuth'); const es = getService('es'); const authSpace1 = getAuthWithSuperUser(); @@ -29,40 +29,44 @@ export default ({ getService }: FtrProviderContext): void => { }); it('should get multiple comments for a single case in space1', async () => { - const postedCase = await createCase(supertest, postCaseReq, 200, authSpace1); + const postedCase = await createCase(supertestWithoutAuth, postCaseReq, 200, authSpace1); await createComment({ - supertest, + supertest: supertestWithoutAuth, caseId: postedCase.id, params: postCommentUserReq, auth: authSpace1, }); await createComment({ - supertest, + supertest: supertestWithoutAuth, caseId: postedCase.id, params: postCommentUserReq, auth: authSpace1, }); - const comments = await getAllComments({ supertest, caseId: postedCase.id, auth: authSpace1 }); + const comments = await getAllComments({ + supertest: supertestWithoutAuth, + caseId: postedCase.id, + auth: authSpace1, + }); expect(comments.length).to.eql(2); }); it('should not find any comments in space2', async () => { - const postedCase = await createCase(supertest, postCaseReq, 200, authSpace1); + const postedCase = await createCase(supertestWithoutAuth, postCaseReq, 200, authSpace1); await createComment({ - supertest, + supertest: supertestWithoutAuth, caseId: postedCase.id, params: postCommentUserReq, auth: authSpace1, }); await createComment({ - supertest, + supertest: supertestWithoutAuth, caseId: postedCase.id, params: postCommentUserReq, auth: authSpace1, }); const comments = await getAllComments({ - supertest, + supertest: supertestWithoutAuth, caseId: postedCase.id, auth: getAuthWithSuperUser('space2'), }); diff --git a/x-pack/test/cases_api_integration/spaces_only/tests/common/comments/get_comment.ts b/x-pack/test/cases_api_integration/spaces_only/tests/common/comments/get_comment.ts index 048700993087d..ebffac50e131a 100644 --- a/x-pack/test/cases_api_integration/spaces_only/tests/common/comments/get_comment.ts +++ b/x-pack/test/cases_api_integration/spaces_only/tests/common/comments/get_comment.ts @@ -19,7 +19,7 @@ import { // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext): void => { - const supertest = getService('supertest'); + const supertestWithoutAuth = getService('supertestWithoutAuth'); const es = getService('es'); const authSpace1 = getAuthWithSuperUser(); @@ -29,15 +29,15 @@ export default ({ getService }: FtrProviderContext): void => { }); it('should get a comment in space1', async () => { - const postedCase = await createCase(supertest, postCaseReq, 200, authSpace1); + const postedCase = await createCase(supertestWithoutAuth, postCaseReq, 200, authSpace1); const patchedCase = await createComment({ - supertest, + supertest: supertestWithoutAuth, caseId: postedCase.id, params: postCommentUserReq, auth: authSpace1, }); const comment = await getComment({ - supertest, + supertest: supertestWithoutAuth, caseId: postedCase.id, commentId: patchedCase.comments![0].id, auth: authSpace1, @@ -47,15 +47,15 @@ export default ({ getService }: FtrProviderContext): void => { }); it('should not get a comment in space2 when it was created in space1', async () => { - const postedCase = await createCase(supertest, postCaseReq, 200, authSpace1); + const postedCase = await createCase(supertestWithoutAuth, postCaseReq, 200, authSpace1); const patchedCase = await createComment({ - supertest, + supertest: supertestWithoutAuth, caseId: postedCase.id, params: postCommentUserReq, auth: authSpace1, }); await getComment({ - supertest, + supertest: supertestWithoutAuth, caseId: postedCase.id, commentId: patchedCase.comments![0].id, auth: getAuthWithSuperUser('space2'), diff --git a/x-pack/test/cases_api_integration/spaces_only/tests/common/comments/patch_comment.ts b/x-pack/test/cases_api_integration/spaces_only/tests/common/comments/patch_comment.ts index 286c0d7b6925d..395fa81dcb968 100644 --- a/x-pack/test/cases_api_integration/spaces_only/tests/common/comments/patch_comment.ts +++ b/x-pack/test/cases_api_integration/spaces_only/tests/common/comments/patch_comment.ts @@ -22,7 +22,7 @@ import { // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext): void => { - const supertest = getService('supertest'); + const supertestWithoutAuth = getService('supertestWithoutAuth'); const es = getService('es'); const authSpace1 = getAuthWithSuperUser(); @@ -34,9 +34,9 @@ export default ({ getService }: FtrProviderContext): void => { }); it('should patch a comment in space1', async () => { - const postedCase = await createCase(supertest, postCaseReq, 200, authSpace1); + const postedCase = await createCase(supertestWithoutAuth, postCaseReq, 200, authSpace1); const patchedCase = await createComment({ - supertest, + supertest: supertestWithoutAuth, caseId: postedCase.id, params: postCommentUserReq, auth: authSpace1, @@ -44,7 +44,7 @@ export default ({ getService }: FtrProviderContext): void => { const newComment = 'Well I decided to update my comment. So what? Deal with it.'; const updatedCase = await updateComment({ - supertest, + supertest: supertestWithoutAuth, caseId: postedCase.id, req: { id: patchedCase.comments![0].id, @@ -63,9 +63,9 @@ export default ({ getService }: FtrProviderContext): void => { }); it('should not patch a comment in a different space', async () => { - const postedCase = await createCase(supertest, postCaseReq, 200, authSpace1); + const postedCase = await createCase(supertestWithoutAuth, postCaseReq, 200, authSpace1); const patchedCase = await createComment({ - supertest, + supertest: supertestWithoutAuth, caseId: postedCase.id, params: postCommentUserReq, auth: authSpace1, @@ -73,7 +73,7 @@ export default ({ getService }: FtrProviderContext): void => { const newComment = 'Well I decided to update my comment. So what? Deal with it.'; await updateComment({ - supertest, + supertest: supertestWithoutAuth, caseId: postedCase.id, req: { id: patchedCase.comments![0].id, diff --git a/x-pack/test/cases_api_integration/spaces_only/tests/common/comments/post_comment.ts b/x-pack/test/cases_api_integration/spaces_only/tests/common/comments/post_comment.ts index 0f268e3288c82..1eccb0dba8759 100644 --- a/x-pack/test/cases_api_integration/spaces_only/tests/common/comments/post_comment.ts +++ b/x-pack/test/cases_api_integration/spaces_only/tests/common/comments/post_comment.ts @@ -20,7 +20,7 @@ import { // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext): void => { - const supertest = getService('supertest'); + const supertestWithoutAuth = getService('supertestWithoutAuth'); const es = getService('es'); const authSpace1 = getAuthWithSuperUser(); @@ -30,9 +30,9 @@ export default ({ getService }: FtrProviderContext): void => { }); it('should post a comment in space1', async () => { - const postedCase = await createCase(supertest, postCaseReq, 200, authSpace1); + const postedCase = await createCase(supertestWithoutAuth, postCaseReq, 200, authSpace1); const patchedCase = await createComment({ - supertest, + supertest: supertestWithoutAuth, caseId: postedCase.id, params: postCommentUserReq, auth: authSpace1, @@ -57,9 +57,9 @@ export default ({ getService }: FtrProviderContext): void => { }); it('should not post a comment on a case in a different space', async () => { - const postedCase = await createCase(supertest, postCaseReq, 200, authSpace1); + const postedCase = await createCase(supertestWithoutAuth, postCaseReq, 200, authSpace1); await createComment({ - supertest, + supertest: supertestWithoutAuth, caseId: postedCase.id, params: postCommentUserReq, auth: getAuthWithSuperUser('space2'), diff --git a/x-pack/test/cases_api_integration/spaces_only/tests/common/configure/get_configure.ts b/x-pack/test/cases_api_integration/spaces_only/tests/common/configure/get_configure.ts index 573b96d71af4a..b1873d912890d 100644 --- a/x-pack/test/cases_api_integration/spaces_only/tests/common/configure/get_configure.ts +++ b/x-pack/test/cases_api_integration/spaces_only/tests/common/configure/get_configure.ts @@ -21,7 +21,7 @@ import { // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext): void => { - const supertest = getService('supertest'); + const supertestWithoutAuth = getService('supertestWithoutAuth'); const es = getService('es'); const authSpace1 = getAuthWithSuperUser(); @@ -31,17 +31,20 @@ export default ({ getService }: FtrProviderContext): void => { }); it('should return a configuration in space1', async () => { - await createConfiguration(supertest, getConfigurationRequest(), 200, authSpace1); - const configuration = await getConfiguration({ supertest, auth: authSpace1 }); + await createConfiguration(supertestWithoutAuth, getConfigurationRequest(), 200, authSpace1); + const configuration = await getConfiguration({ + supertest: supertestWithoutAuth, + auth: authSpace1, + }); const data = removeServerGeneratedPropertiesFromSavedObject(configuration[0]); expect(data).to.eql(getConfigurationOutput(false, { created_by: nullUser })); }); it('should not find a configuration when looking in a different space', async () => { - await createConfiguration(supertest, getConfigurationRequest(), 200, authSpace1); + await createConfiguration(supertestWithoutAuth, getConfigurationRequest(), 200, authSpace1); const configuration = await getConfiguration({ - supertest, + supertest: supertestWithoutAuth, auth: getAuthWithSuperUser('space2'), }); diff --git a/x-pack/test/cases_api_integration/spaces_only/tests/common/configure/patch_configure.ts b/x-pack/test/cases_api_integration/spaces_only/tests/common/configure/patch_configure.ts index f61e8698c1191..c681718d50cb5 100644 --- a/x-pack/test/cases_api_integration/spaces_only/tests/common/configure/patch_configure.ts +++ b/x-pack/test/cases_api_integration/spaces_only/tests/common/configure/patch_configure.ts @@ -21,7 +21,7 @@ import { nullUser } from '../../../../common/lib/mock'; // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext): void => { - const supertest = getService('supertest'); + const supertestWithoutAuth = getService('supertestWithoutAuth'); const es = getService('es'); const authSpace1 = getAuthWithSuperUser(); @@ -32,13 +32,13 @@ export default ({ getService }: FtrProviderContext): void => { it('should patch a configuration in space1', async () => { const configuration = await createConfiguration( - supertest, + supertestWithoutAuth, getConfigurationRequest(), 200, authSpace1 ); const newConfiguration = await updateConfiguration( - supertest, + supertestWithoutAuth, configuration.id, { closure_type: 'close-by-pushing', @@ -57,13 +57,13 @@ export default ({ getService }: FtrProviderContext): void => { it('should not patch a configuration in a different space', async () => { const configuration = await createConfiguration( - supertest, + supertestWithoutAuth, getConfigurationRequest(), 200, authSpace1 ); await updateConfiguration( - supertest, + supertestWithoutAuth, configuration.id, { closure_type: 'close-by-pushing', diff --git a/x-pack/test/cases_api_integration/spaces_only/tests/common/configure/post_configure.ts b/x-pack/test/cases_api_integration/spaces_only/tests/common/configure/post_configure.ts index 161075616925c..a3e7a8f58e24a 100644 --- a/x-pack/test/cases_api_integration/spaces_only/tests/common/configure/post_configure.ts +++ b/x-pack/test/cases_api_integration/spaces_only/tests/common/configure/post_configure.ts @@ -20,7 +20,7 @@ import { nullUser } from '../../../../common/lib/mock'; // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext): void => { - const supertest = getService('supertest'); + const supertestWithoutAuth = getService('supertestWithoutAuth'); const es = getService('es'); const authSpace1 = getAuthWithSuperUser(); @@ -31,7 +31,7 @@ export default ({ getService }: FtrProviderContext): void => { it('should create a configuration in space1', async () => { const configuration = await createConfiguration( - supertest, + supertestWithoutAuth, getConfigurationRequest(), 200, authSpace1 diff --git a/x-pack/test/cases_api_integration/spaces_only/tests/common/metrics/get_cases_metrics.ts b/x-pack/test/cases_api_integration/spaces_only/tests/common/metrics/get_cases_metrics.ts index 66fb3f4343e58..9ce6119060fe1 100644 --- a/x-pack/test/cases_api_integration/spaces_only/tests/common/metrics/get_cases_metrics.ts +++ b/x-pack/test/cases_api_integration/spaces_only/tests/common/metrics/get_cases_metrics.ts @@ -17,7 +17,7 @@ import { // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext): void => { const es = getService('es'); - const supertest = getService('supertest'); + const supertestWithoutAuth = getService('supertestWithoutAuth'); const kibanaServer = getService('kibanaServer'); const authSpace1 = getAuthWithSuperUser(); @@ -50,7 +50,7 @@ export default ({ getService }: FtrProviderContext): void => { describe('MTTR', () => { it('should calculate the mttr correctly on space 1', async () => { const metrics = await getCasesMetrics({ - supertest, + supertest: supertestWithoutAuth, features: ['mttr'], auth: authSpace1, }); @@ -61,7 +61,7 @@ export default ({ getService }: FtrProviderContext): void => { it('should calculate the mttr correctly on space 2', async () => { const authSpace2 = getAuthWithSuperUser('space2'); const metrics = await getCasesMetrics({ - supertest, + supertest: supertestWithoutAuth, features: ['mttr'], auth: authSpace2, }); diff --git a/x-pack/test/cases_api_integration/spaces_only/tests/common/user_actions/get_all_user_actions.ts b/x-pack/test/cases_api_integration/spaces_only/tests/common/user_actions/get_all_user_actions.ts index 199e53ebd1bb5..4b97d30ecf1f5 100644 --- a/x-pack/test/cases_api_integration/spaces_only/tests/common/user_actions/get_all_user_actions.ts +++ b/x-pack/test/cases_api_integration/spaces_only/tests/common/user_actions/get_all_user_actions.ts @@ -18,7 +18,7 @@ import { // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext): void => { - const supertest = getService('supertest'); + const supertestWithoutAuth = getService('supertestWithoutAuth'); const es = getService('es'); const authSpace1 = getAuthWithSuperUser(); @@ -28,16 +28,30 @@ export default ({ getService }: FtrProviderContext): void => { }); it(`should get user actions in space1`, async () => { - const postedCase = await createCase(supertest, getPostCaseRequest(), 200, authSpace1); - const body = await getCaseUserActions({ supertest, caseID: postedCase.id, auth: authSpace1 }); + const postedCase = await createCase( + supertestWithoutAuth, + getPostCaseRequest(), + 200, + authSpace1 + ); + const body = await getCaseUserActions({ + supertest: supertestWithoutAuth, + caseID: postedCase.id, + auth: authSpace1, + }); expect(body.length).to.eql(1); }); it(`should not get user actions in the wrong space`, async () => { - const postedCase = await createCase(supertest, getPostCaseRequest(), 200, authSpace1); + const postedCase = await createCase( + supertestWithoutAuth, + getPostCaseRequest(), + 200, + authSpace1 + ); const body = await getCaseUserActions({ - supertest, + supertest: supertestWithoutAuth, caseID: postedCase.id, auth: getAuthWithSuperUser('space2'), }); diff --git a/x-pack/test/cases_api_integration/spaces_only/tests/trial/cases/push_case.ts b/x-pack/test/cases_api_integration/spaces_only/tests/trial/cases/push_case.ts index bfb266e6f6c3a..09cbc2b9ad18b 100644 --- a/x-pack/test/cases_api_integration/spaces_only/tests/trial/cases/push_case.ts +++ b/x-pack/test/cases_api_integration/spaces_only/tests/trial/cases/push_case.ts @@ -23,6 +23,7 @@ import { // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext): void => { const supertest = getService('supertest'); + const supertestWithoutAuth = getService('supertestWithoutAuth'); const es = getService('es'); const authSpace1 = getAuthWithSuperUser(); @@ -48,13 +49,13 @@ export default ({ getService }: FtrProviderContext): void => { it('should push a case in space1', async () => { const { postedCase, connector } = await createCaseWithConnector({ - supertest, + supertest: supertestWithoutAuth, serviceNowSimulatorURL, actionsRemover, auth: authSpace1, }); const theCase = await pushCase({ - supertest, + supertest: supertestWithoutAuth, caseId: postedCase.id, connectorId: connector.id, auth: authSpace1, @@ -75,13 +76,13 @@ export default ({ getService }: FtrProviderContext): void => { it('should not push a case in a different space', async () => { const { postedCase, connector } = await createCaseWithConnector({ - supertest, + supertest: supertestWithoutAuth, serviceNowSimulatorURL, actionsRemover, auth: authSpace1, }); await pushCase({ - supertest, + supertest: supertestWithoutAuth, caseId: postedCase.id, connectorId: connector.id, auth: getAuthWithSuperUser('space2'), diff --git a/x-pack/test/cases_api_integration/spaces_only/tests/trial/configure/get_configure.ts b/x-pack/test/cases_api_integration/spaces_only/tests/trial/configure/get_configure.ts index 405323005e64e..c68437968e0da 100644 --- a/x-pack/test/cases_api_integration/spaces_only/tests/trial/configure/get_configure.ts +++ b/x-pack/test/cases_api_integration/spaces_only/tests/trial/configure/get_configure.ts @@ -8,7 +8,7 @@ import http from 'http'; import expect from '@kbn/expect'; import { ConnectorTypes } from '@kbn/cases-plugin/common/api'; -import { FtrProviderContext } from '../../../../../common/ftr_provider_context'; +import { FtrProviderContext } from '../../../../common/ftr_provider_context'; import { ObjectRemover as ActionsRemover } from '../../../../../alerting_api_integration/common/lib'; import { @@ -27,6 +27,7 @@ import { nullUser } from '../../../../common/lib/mock'; // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext): void => { const supertest = getService('supertest'); + const supertestWithoutAuth = getService('supertestWithoutAuth'); const actionsRemover = new ActionsRemover(supertest); const authSpace1 = getAuthWithSuperUser(); @@ -50,7 +51,7 @@ export default ({ getService }: FtrProviderContext): void => { it('should return a configuration with a mapping from space1', async () => { const connector = await createConnector({ - supertest, + supertest: supertestWithoutAuth, req: { ...getServiceNowConnector(), config: { apiUrl: serviceNowSimulatorURL }, @@ -60,7 +61,7 @@ export default ({ getService }: FtrProviderContext): void => { actionsRemover.add('space1', connector.id, 'action', 'actions'); await createConfiguration( - supertest, + supertestWithoutAuth, getConfigurationRequest({ id: connector.id, name: connector.name, @@ -105,7 +106,7 @@ export default ({ getService }: FtrProviderContext): void => { it('should not return a configuration with a mapping from a different space', async () => { const connector = await createConnector({ - supertest, + supertest: supertestWithoutAuth, req: { ...getServiceNowConnector(), config: { apiUrl: serviceNowSimulatorURL }, diff --git a/x-pack/test/cases_api_integration/spaces_only/tests/trial/configure/get_connectors.ts b/x-pack/test/cases_api_integration/spaces_only/tests/trial/configure/get_connectors.ts index 0ca47597e7b6b..b08b6f21390d4 100644 --- a/x-pack/test/cases_api_integration/spaces_only/tests/trial/configure/get_connectors.ts +++ b/x-pack/test/cases_api_integration/spaces_only/tests/trial/configure/get_connectors.ts @@ -6,7 +6,7 @@ */ import expect from '@kbn/expect'; -import { FtrProviderContext } from '../../../../../common/ftr_provider_context'; +import { FtrProviderContext } from '../../../../common/ftr_provider_context'; import { ObjectRemover as ActionsRemover } from '../../../../../alerting_api_integration/common/lib'; import { @@ -25,6 +25,7 @@ import { // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext): void => { const supertest = getService('supertest'); + const supertestWithoutAuth = getService('supertestWithoutAuth'); const actionsRemover = new ActionsRemover(supertest); const authSpace1 = getAuthWithSuperUser(); const space = getActionsSpace(authSpace1.space); @@ -36,35 +37,35 @@ export default ({ getService }: FtrProviderContext): void => { it('should return the correct connectors in space1', async () => { const snConnector = await createConnector({ - supertest, + supertest: supertestWithoutAuth, req: getServiceNowConnector(), auth: authSpace1, }); const snOAuthConnector = await createConnector({ - supertest, + supertest: supertestWithoutAuth, req: getServiceNowOAuthConnector(), auth: authSpace1, }); const emailConnector = await createConnector({ - supertest, + supertest: supertestWithoutAuth, req: getEmailConnector(), auth: authSpace1, }); const jiraConnector = await createConnector({ - supertest, + supertest: supertestWithoutAuth, req: getJiraConnector(), auth: authSpace1, }); const resilientConnector = await createConnector({ - supertest, + supertest: supertestWithoutAuth, req: getResilientConnector(), auth: authSpace1, }); const sir = await createConnector({ - supertest, + supertest: supertestWithoutAuth, req: getServiceNowSIRConnector(), auth: authSpace1, }); @@ -76,7 +77,10 @@ export default ({ getService }: FtrProviderContext): void => { actionsRemover.add(space, jiraConnector.id, 'action', 'actions'); actionsRemover.add(space, resilientConnector.id, 'action', 'actions'); - const connectors = await getCaseConnectors({ supertest, auth: authSpace1 }); + const connectors = await getCaseConnectors({ + supertest: supertestWithoutAuth, + auth: authSpace1, + }); const sortedConnectors = connectors.sort((a, b) => a.name.localeCompare(b.name)); expect(sortedConnectors).to.eql([ @@ -174,37 +178,37 @@ export default ({ getService }: FtrProviderContext): void => { it('should not return any connectors when looking in the wrong space', async () => { const snConnector = await createConnector({ - supertest, + supertest: supertestWithoutAuth, req: getServiceNowConnector(), auth: authSpace1, }); const snOAuthConnector = await createConnector({ - supertest, + supertest: supertestWithoutAuth, req: getServiceNowOAuthConnector(), auth: authSpace1, }); const emailConnector = await createConnector({ - supertest, + supertest: supertestWithoutAuth, req: getEmailConnector(), auth: authSpace1, }); const jiraConnector = await createConnector({ - supertest, + supertest: supertestWithoutAuth, req: getJiraConnector(), auth: authSpace1, }); const resilientConnector = await createConnector({ - supertest, + supertest: supertestWithoutAuth, req: getResilientConnector(), auth: authSpace1, }); const sir = await createConnector({ - supertest, + supertest: supertestWithoutAuth, req: getServiceNowSIRConnector(), auth: authSpace1, }); @@ -217,7 +221,7 @@ export default ({ getService }: FtrProviderContext): void => { actionsRemover.add(space, resilientConnector.id, 'action', 'actions'); const connectors = await getCaseConnectors({ - supertest, + supertest: supertestWithoutAuth, auth: getAuthWithSuperUser('space2'), }); diff --git a/x-pack/test/cases_api_integration/spaces_only/tests/trial/configure/patch_configure.ts b/x-pack/test/cases_api_integration/spaces_only/tests/trial/configure/patch_configure.ts index 084e05921fb47..e984cab68f9dd 100644 --- a/x-pack/test/cases_api_integration/spaces_only/tests/trial/configure/patch_configure.ts +++ b/x-pack/test/cases_api_integration/spaces_only/tests/trial/configure/patch_configure.ts @@ -29,6 +29,7 @@ import { nullUser } from '../../../../common/lib/mock'; // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext): void => { const supertest = getService('supertest'); + const supertestWithoutAuth = getService('supertestWithoutAuth'); const es = getService('es'); const authSpace1 = getAuthWithSuperUser(); const space = getActionsSpace(authSpace1.space); @@ -55,7 +56,7 @@ export default ({ getService }: FtrProviderContext): void => { it('should patch a configuration connector and create mappings in space1', async () => { const connector = await createConnector({ - supertest, + supertest: supertestWithoutAuth, req: { ...getServiceNowConnector(), config: { apiUrl: serviceNowSimulatorURL }, @@ -67,7 +68,7 @@ export default ({ getService }: FtrProviderContext): void => { // Configuration is created with no connector so the mappings are empty const configuration = await createConfiguration( - supertest, + supertestWithoutAuth, getConfigurationRequest(), 200, authSpace1 @@ -82,7 +83,7 @@ export default ({ getService }: FtrProviderContext): void => { }); const newConfiguration = await updateConfiguration( - supertest, + supertestWithoutAuth, configuration.id, { ...reqWithoutOwner, @@ -125,7 +126,7 @@ export default ({ getService }: FtrProviderContext): void => { it('should not patch a configuration connector when it is in a different space', async () => { const connector = await createConnector({ - supertest, + supertest: supertestWithoutAuth, req: { ...getServiceNowConnector(), config: { apiUrl: serviceNowSimulatorURL }, @@ -137,7 +138,7 @@ export default ({ getService }: FtrProviderContext): void => { // Configuration is created with no connector so the mappings are empty const configuration = await createConfiguration( - supertest, + supertestWithoutAuth, getConfigurationRequest(), 200, authSpace1 @@ -152,7 +153,7 @@ export default ({ getService }: FtrProviderContext): void => { }); await updateConfiguration( - supertest, + supertestWithoutAuth, configuration.id, { ...reqWithoutOwner, diff --git a/x-pack/test/cases_api_integration/spaces_only/tests/trial/configure/post_configure.ts b/x-pack/test/cases_api_integration/spaces_only/tests/trial/configure/post_configure.ts index 13d2cc6070727..4a8ffe56d35eb 100644 --- a/x-pack/test/cases_api_integration/spaces_only/tests/trial/configure/post_configure.ts +++ b/x-pack/test/cases_api_integration/spaces_only/tests/trial/configure/post_configure.ts @@ -28,6 +28,7 @@ import { nullUser } from '../../../../common/lib/mock'; // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext): void => { const supertest = getService('supertest'); + const supertestWithoutAuth = getService('supertestWithoutAuth'); const es = getService('es'); const authSpace1 = getAuthWithSuperUser(); const space = getActionsSpace(authSpace1.space); @@ -54,7 +55,7 @@ export default ({ getService }: FtrProviderContext): void => { it('should create a configuration with a mapping in space1', async () => { const connector = await createConnector({ - supertest, + supertest: supertestWithoutAuth, req: { ...getServiceNowConnector(), config: { apiUrl: serviceNowSimulatorURL }, @@ -65,7 +66,7 @@ export default ({ getService }: FtrProviderContext): void => { actionsRemover.add(space, connector.id, 'action', 'actions'); const postRes = await createConfiguration( - supertest, + supertestWithoutAuth, getConfigurationRequest({ id: connector.id, name: connector.name, diff --git a/x-pack/test/fleet_api_integration/apis/agents/upgrade.ts b/x-pack/test/fleet_api_integration/apis/agents/upgrade.ts index 5eb2a409d37f4..599488baf6707 100644 --- a/x-pack/test/fleet_api_integration/apis/agents/upgrade.ts +++ b/x-pack/test/fleet_api_integration/apis/agents/upgrade.ts @@ -160,6 +160,26 @@ export default function (providerContext: FtrProviderContext) { }) .expect(400); }); + + it('should respond 400 if trying to downgrade version', async () => { + await es.update({ + id: 'agent1', + refresh: 'wait_for', + index: AGENTS_INDEX, + body: { + doc: { + local_metadata: { elastic: { agent: { upgradeable: true, version: '7.0.0' } } }, + }, + }, + }); + await supertest + .post(`/api/fleet/agents/agent1/upgrade`) + .set('kbn-xsrf', 'xxx') + .send({ + version: '6.0.0', + }) + .expect(400); + }); it('should respond 400 if trying to upgrade with source_uri set', async () => { const kibanaVersion = await kibanaServer.version.get(); const res = await supertest @@ -710,6 +730,44 @@ export default function (providerContext: FtrProviderContext) { }) .expect(400); }); + it('should prevent any agent to downgrade', async () => { + await es.update({ + id: 'agent1', + refresh: 'wait_for', + index: AGENTS_INDEX, + body: { + doc: { + policy_id: `agent-policy-1`, + local_metadata: { elastic: { agent: { upgradeable: true, version: '6.0.0' } } }, + }, + }, + }); + await es.update({ + id: 'agent2', + refresh: 'wait_for', + index: AGENTS_INDEX, + body: { + doc: { + policy_id: `agent-policy-2`, + local_metadata: { elastic: { agent: { upgradeable: true, version: '6.0.0' } } }, + }, + }, + }); + await supertest + .post(`/api/fleet/agents/bulk_upgrade`) + .set('kbn-xsrf', 'xxx') + .send({ + agents: ['agent1', 'agent2'], + version: '5.0.0', + }) + .expect(200); + const [agent1data, agent2data] = await Promise.all([ + supertest.get(`/api/fleet/agents/agent1`).set('kbn-xsrf', 'xxx'), + supertest.get(`/api/fleet/agents/agent2`).set('kbn-xsrf', 'xxx'), + ]); + expect(typeof agent1data.body.item.upgrade_started_at).to.be('undefined'); + expect(typeof agent2data.body.item.upgrade_started_at).to.be('undefined'); + }); it('should throw an error if source_uri parameter is passed', async () => { const kibanaVersion = await kibanaServer.version.get(); diff --git a/x-pack/test/fleet_api_integration/apis/epm/install_remove_assets.ts b/x-pack/test/fleet_api_integration/apis/epm/install_remove_assets.ts index 0d06a1ca9e0f7..44d609c5d492e 100644 --- a/x-pack/test/fleet_api_integration/apis/epm/install_remove_assets.ts +++ b/x-pack/test/fleet_api_integration/apis/epm/install_remove_assets.ts @@ -12,6 +12,12 @@ import { FtrProviderContext } from '../../../api_integration/ftr_provider_contex import { skipIfNoDockerRegistry } from '../../helpers'; import { setupFleetAndAgents } from '../agents/services'; +function checkErrorWithResponseDataOrThrow(err: any) { + if (!err?.response?.data) { + throw err; + } +} + export default function (providerContext: FtrProviderContext) { const { getService } = providerContext; const kibanaServer = getService('kibanaServer'); @@ -57,15 +63,18 @@ export default function (providerContext: FtrProviderContext) { }); }); - // FLAKY: https://github.com/elastic/kibana/issues/132333 - describe.skip('uninstalls all assets when uninstalling a package', async () => { - before(async () => { + describe('uninstalls all assets when uninstalling a package', async () => { + // these tests ensure that uninstall works properly so make sure that the package gets installed and uninstalled + // and then we'll test that not artifacts are left behind. + before(() => { if (!server.enabled) return; - // these tests ensure that uninstall works properly so make sure that the package gets installed and uninstalled - // and then we'll test that not artifacts are left behind. - await installPackage(pkgName, pkgVersion); - await uninstallPackage(pkgName, pkgVersion); + return installPackage(pkgName, pkgVersion); + }); + before(() => { + if (!server.enabled) return; + return uninstallPackage(pkgName, pkgVersion); }); + it('should have uninstalled the index templates', async function () { const resLogsTemplate = await es.transport.request( { @@ -199,6 +208,7 @@ export default function (providerContext: FtrProviderContext) { id: 'sample_dashboard', }); } catch (err) { + checkErrorWithResponseDataOrThrow(err); resDashboard = err; } expect(resDashboard.response.data.statusCode).equal(404); @@ -209,6 +219,7 @@ export default function (providerContext: FtrProviderContext) { id: 'sample_dashboard2', }); } catch (err) { + checkErrorWithResponseDataOrThrow(err); resDashboard2 = err; } expect(resDashboard2.response.data.statusCode).equal(404); @@ -219,6 +230,7 @@ export default function (providerContext: FtrProviderContext) { id: 'sample_visualization', }); } catch (err) { + checkErrorWithResponseDataOrThrow(err); resVis = err; } expect(resVis.response.data.statusCode).equal(404); @@ -229,6 +241,7 @@ export default function (providerContext: FtrProviderContext) { id: 'sample_search', }); } catch (err) { + checkErrorWithResponseDataOrThrow(err); resSearch = err; } expect(resSearch.response.data.statusCode).equal(404); @@ -239,6 +252,7 @@ export default function (providerContext: FtrProviderContext) { id: 'test-*', }); } catch (err) { + checkErrorWithResponseDataOrThrow(err); resIndexPattern = err; } expect(resIndexPattern.response.data.statusCode).equal(404); @@ -249,6 +263,7 @@ export default function (providerContext: FtrProviderContext) { id: 'sample_osquery_pack_asset', }); } catch (err) { + checkErrorWithResponseDataOrThrow(err); resOsqueryPackAsset = err; } expect(resOsqueryPackAsset.response.data.statusCode).equal(404); @@ -259,6 +274,7 @@ export default function (providerContext: FtrProviderContext) { id: 'sample_osquery_saved_query', }); } catch (err) { + checkErrorWithResponseDataOrThrow(err); resOsquerySavedQuery = err; } expect(resOsquerySavedQuery.response.data.statusCode).equal(404); @@ -271,6 +287,7 @@ export default function (providerContext: FtrProviderContext) { id: 'all_assets', }); } catch (err) { + checkErrorWithResponseDataOrThrow(err); res = err; } expect(res.response.data.statusCode).equal(404); @@ -482,6 +499,7 @@ const expectAssetsInstalled = ({ id: 'invalid', }); } catch (err) { + checkErrorWithResponseDataOrThrow(err); resInvalidTypeIndexPattern = err; } expect(resInvalidTypeIndexPattern.response.data.statusCode).equal(404); diff --git a/x-pack/test/fleet_api_integration/apis/epm/setup.ts b/x-pack/test/fleet_api_integration/apis/epm/setup.ts index 6d79a1c0a85c4..00d964cb64e7c 100644 --- a/x-pack/test/fleet_api_integration/apis/epm/setup.ts +++ b/x-pack/test/fleet_api_integration/apis/epm/setup.ts @@ -74,7 +74,7 @@ export default function (providerContext: FtrProviderContext) { }); it('should upgrade package policy on setup if keep policies up to date set to true', async () => { - const oldVersion = '1.9.0'; + const oldVersion = '1.11.0'; await supertest .post(`/api/fleet/epm/packages/system/${oldVersion}`) .set('kbn-xsrf', 'xxxx') diff --git a/x-pack/test/fleet_api_integration/config.ts b/x-pack/test/fleet_api_integration/config.ts index d5284c23f7fb7..d73904d792955 100644 --- a/x-pack/test/fleet_api_integration/config.ts +++ b/x-pack/test/fleet_api_integration/config.ts @@ -15,7 +15,7 @@ import { defineDockerServersConfig } from '@kbn/test'; // example: https://beats-ci.elastic.co/blue/organizations/jenkins/Ingest-manager%2Fpackage-storage/detail/snapshot/74/pipeline/257#step-302-log-1. // It should be updated any time there is a new Docker image published for the Snapshot Distribution of the Package Registry. export const dockerImage = - 'docker.elastic.co/package-registry/distribution:e1a3906e0c9944ecade05308022ba35eb0ebd00a'; + 'docker.elastic.co/package-registry/distribution:93ffe45d8c4ae11365bc70b1038643121049b9fe'; export const BUNDLED_PACKAGE_DIR = '/tmp/fleet_bundled_packages'; diff --git a/x-pack/test/functional/apps/dashboard/group1/index.ts b/x-pack/test/functional/apps/dashboard/group1/index.ts index f829002448f33..5e44cae752905 100644 --- a/x-pack/test/functional/apps/dashboard/group1/index.ts +++ b/x-pack/test/functional/apps/dashboard/group1/index.ts @@ -11,7 +11,5 @@ export default function ({ loadTestFile }: FtrProviderContext) { describe('dashboard', function () { loadTestFile(require.resolve('./feature_controls')); loadTestFile(require.resolve('./preserve_url')); - loadTestFile(require.resolve('./reporting')); - loadTestFile(require.resolve('./drilldowns')); }); } diff --git a/x-pack/test/functional/apps/dashboard/group3/config.ts b/x-pack/test/functional/apps/dashboard/group3/config.ts new file mode 100644 index 0000000000000..d927f93adeffd --- /dev/null +++ b/x-pack/test/functional/apps/dashboard/group3/config.ts @@ -0,0 +1,17 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { FtrConfigProviderContext } from '@kbn/test'; + +export default async function ({ readConfigFile }: FtrConfigProviderContext) { + const functionalConfig = await readConfigFile(require.resolve('../../../config.base.js')); + + return { + ...functionalConfig.getAll(), + testFiles: [require.resolve('.')], + }; +} diff --git a/x-pack/test/functional/apps/dashboard/group1/drilldowns/dashboard_to_dashboard_drilldown.ts b/x-pack/test/functional/apps/dashboard/group3/drilldowns/dashboard_to_dashboard_drilldown.ts similarity index 100% rename from x-pack/test/functional/apps/dashboard/group1/drilldowns/dashboard_to_dashboard_drilldown.ts rename to x-pack/test/functional/apps/dashboard/group3/drilldowns/dashboard_to_dashboard_drilldown.ts diff --git a/x-pack/test/functional/apps/dashboard/group1/drilldowns/dashboard_to_url_drilldown.ts b/x-pack/test/functional/apps/dashboard/group3/drilldowns/dashboard_to_url_drilldown.ts similarity index 100% rename from x-pack/test/functional/apps/dashboard/group1/drilldowns/dashboard_to_url_drilldown.ts rename to x-pack/test/functional/apps/dashboard/group3/drilldowns/dashboard_to_url_drilldown.ts diff --git a/x-pack/test/functional/apps/dashboard/group1/drilldowns/explore_data_chart_action.ts b/x-pack/test/functional/apps/dashboard/group3/drilldowns/explore_data_chart_action.ts similarity index 100% rename from x-pack/test/functional/apps/dashboard/group1/drilldowns/explore_data_chart_action.ts rename to x-pack/test/functional/apps/dashboard/group3/drilldowns/explore_data_chart_action.ts diff --git a/x-pack/test/functional/apps/dashboard/group1/drilldowns/explore_data_panel_action.ts b/x-pack/test/functional/apps/dashboard/group3/drilldowns/explore_data_panel_action.ts similarity index 100% rename from x-pack/test/functional/apps/dashboard/group1/drilldowns/explore_data_panel_action.ts rename to x-pack/test/functional/apps/dashboard/group3/drilldowns/explore_data_panel_action.ts diff --git a/x-pack/test/functional/apps/dashboard/group1/drilldowns/index.ts b/x-pack/test/functional/apps/dashboard/group3/drilldowns/index.ts similarity index 100% rename from x-pack/test/functional/apps/dashboard/group1/drilldowns/index.ts rename to x-pack/test/functional/apps/dashboard/group3/drilldowns/index.ts diff --git a/x-pack/test/functional/apps/dashboard/group3/index.ts b/x-pack/test/functional/apps/dashboard/group3/index.ts new file mode 100644 index 0000000000000..98ccd85b7c15d --- /dev/null +++ b/x-pack/test/functional/apps/dashboard/group3/index.ts @@ -0,0 +1,15 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { FtrProviderContext } from '../../../ftr_provider_context'; + +export default function ({ loadTestFile }: FtrProviderContext) { + describe('dashboard', function () { + loadTestFile(require.resolve('./reporting')); + loadTestFile(require.resolve('./drilldowns')); + }); +} diff --git a/x-pack/test/functional/apps/dashboard/group1/reporting/README.md b/x-pack/test/functional/apps/dashboard/group3/reporting/README.md similarity index 100% rename from x-pack/test/functional/apps/dashboard/group1/reporting/README.md rename to x-pack/test/functional/apps/dashboard/group3/reporting/README.md diff --git a/x-pack/test/functional/apps/dashboard/group1/reporting/__snapshots__/download_csv.snap b/x-pack/test/functional/apps/dashboard/group3/reporting/__snapshots__/download_csv.snap similarity index 100% rename from x-pack/test/functional/apps/dashboard/group1/reporting/__snapshots__/download_csv.snap rename to x-pack/test/functional/apps/dashboard/group3/reporting/__snapshots__/download_csv.snap diff --git a/x-pack/test/functional/apps/dashboard/group1/reporting/download_csv.ts b/x-pack/test/functional/apps/dashboard/group3/reporting/download_csv.ts similarity index 100% rename from x-pack/test/functional/apps/dashboard/group1/reporting/download_csv.ts rename to x-pack/test/functional/apps/dashboard/group3/reporting/download_csv.ts diff --git a/x-pack/test/functional/apps/dashboard/group1/reporting/index.ts b/x-pack/test/functional/apps/dashboard/group3/reporting/index.ts similarity index 100% rename from x-pack/test/functional/apps/dashboard/group1/reporting/index.ts rename to x-pack/test/functional/apps/dashboard/group3/reporting/index.ts diff --git a/x-pack/test/functional/apps/dashboard/group1/reporting/reports/baseline/large_dashboard_preserve_layout.png b/x-pack/test/functional/apps/dashboard/group3/reporting/reports/baseline/large_dashboard_preserve_layout.png similarity index 100% rename from x-pack/test/functional/apps/dashboard/group1/reporting/reports/baseline/large_dashboard_preserve_layout.png rename to x-pack/test/functional/apps/dashboard/group3/reporting/reports/baseline/large_dashboard_preserve_layout.png diff --git a/x-pack/test/functional/apps/dashboard/group1/reporting/reports/baseline/sample_data_ecommerce_76.png b/x-pack/test/functional/apps/dashboard/group3/reporting/reports/baseline/sample_data_ecommerce_76.png similarity index 100% rename from x-pack/test/functional/apps/dashboard/group1/reporting/reports/baseline/sample_data_ecommerce_76.png rename to x-pack/test/functional/apps/dashboard/group3/reporting/reports/baseline/sample_data_ecommerce_76.png diff --git a/x-pack/test/functional/apps/dashboard/group1/reporting/reports/baseline/small_dashboard_preserve_layout.png b/x-pack/test/functional/apps/dashboard/group3/reporting/reports/baseline/small_dashboard_preserve_layout.png similarity index 100% rename from x-pack/test/functional/apps/dashboard/group1/reporting/reports/baseline/small_dashboard_preserve_layout.png rename to x-pack/test/functional/apps/dashboard/group3/reporting/reports/baseline/small_dashboard_preserve_layout.png diff --git a/x-pack/test/functional/apps/dashboard/group1/reporting/screenshots.ts b/x-pack/test/functional/apps/dashboard/group3/reporting/screenshots.ts similarity index 100% rename from x-pack/test/functional/apps/dashboard/group1/reporting/screenshots.ts rename to x-pack/test/functional/apps/dashboard/group3/reporting/screenshots.ts diff --git a/x-pack/test/functional/apps/ml/permissions/read_ml_access.ts b/x-pack/test/functional/apps/ml/permissions/read_ml_access.ts index 301fc5102a94f..e9ec6d7bfc1d6 100644 --- a/x-pack/test/functional/apps/ml/permissions/read_ml_access.ts +++ b/x-pack/test/functional/apps/ml/permissions/read_ml_access.ts @@ -9,9 +9,10 @@ import { FtrProviderContext } from '../../../ftr_provider_context'; import { USER } from '../../../services/ml/security_common'; -export default function ({ getService }: FtrProviderContext) { +export default function ({ getService, getPageObjects }: FtrProviderContext) { const esArchiver = getService('esArchiver'); const ml = getService('ml'); + const PageObjects = getPageObjects(['common', 'error']); const testUsers = [ { user: USER.ML_VIEWER, discoverAvailable: true }, @@ -100,6 +101,13 @@ export default function ({ getService }: FtrProviderContext) { await ml.overviewPage.assertDFACreateJobButtonExists(); await ml.overviewPage.assertDFACreateJobButtonEnabled(false); }); + + it('should redirect to the Overview page from the unrecognized routes', async () => { + await PageObjects.common.navigateToUrl('ml', 'magic-ai'); + + await ml.testExecution.logTestStep('should display a warning banner'); + await ml.overviewPage.assertPageNotFoundBannerText('magic-ai'); + }); }); } }); diff --git a/x-pack/test/functional/apps/security/doc_level_security_roles.ts b/x-pack/test/functional/apps/security/doc_level_security_roles.ts index 69f25fbe3164f..65811fbf5e118 100644 --- a/x-pack/test/functional/apps/security/doc_level_security_roles.ts +++ b/x-pack/test/functional/apps/security/doc_level_security_roles.ts @@ -27,6 +27,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { await PageObjects.common.navigateToApp('settings'); await PageObjects.settings.createIndexPattern('dlstest', null); + await security.testUser.setRoles(['cluster_security_manager', 'kibana_admin']); await PageObjects.settings.navigateTo(); await PageObjects.security.clickElasticsearchRoles(); }); @@ -82,6 +83,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { await PageObjects.security.forceLogout(); await security.user.delete('userEast'); await security.role.delete('myroleEast'); + await security.testUser.restoreDefaults(); }); }); } diff --git a/x-pack/test/functional/apps/security/field_level_security.ts b/x-pack/test/functional/apps/security/field_level_security.ts index 917d41bdbb377..b4b21f6c38b3d 100644 --- a/x-pack/test/functional/apps/security/field_level_security.ts +++ b/x-pack/test/functional/apps/security/field_level_security.ts @@ -16,9 +16,11 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { const log = getService('log'); const PageObjects = getPageObjects(['security', 'settings', 'common', 'discover', 'header']); const kibanaServer = getService('kibanaServer'); + const security = getService('security'); describe('field_level_security', () => { before('initialize tests', async () => { + await security.testUser.setRoles(['cluster_security_manager', 'kibana_admin']); await esArchiver.loadIfNeeded('x-pack/test/functional/es_archives/security/flstest/data'); // ( data) await kibanaServer.importExport.load( 'x-pack/test/functional/fixtures/kbn_archiver/security/flstest/index_pattern' @@ -127,6 +129,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { await kibanaServer.importExport.unload( 'x-pack/test/functional/fixtures/kbn_archiver/security/flstest/index_pattern' ); + await security.testUser.restoreDefaults(); }); }); } diff --git a/x-pack/test/functional/apps/security/management.ts b/x-pack/test/functional/apps/security/management.ts index c6f25ad30bafb..c577f256c9c8b 100644 --- a/x-pack/test/functional/apps/security/management.ts +++ b/x-pack/test/functional/apps/security/management.ts @@ -13,6 +13,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { const testSubjects = getService('testSubjects'); const browser = getService('browser'); const find = getService('find'); + const security = getService('security'); const PageObjects = getPageObjects(['security', 'settings', 'common', 'header']); const USERS_PATH = 'security/users'; @@ -22,12 +23,12 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { const ROLES_PATH = 'security/roles'; const EDIT_ROLES_PATH = `${ROLES_PATH}/edit`; const CLONE_ROLES_PATH = `${ROLES_PATH}/clone`; - const security = getService('security'); describe('Management', function () { this.tags(['skipFirefox']); before(async () => { + await security.testUser.setRoles(['cluster_security_manager']); await PageObjects.security.initTests(); await kibanaServer.uiSettings.update({ defaultIndex: 'logstash-*', @@ -51,6 +52,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { await security.role.delete('logstash-readonly'); await security.user.delete('dashuser'); await security.user.delete('new-user'); + await security.testUser.restoreDefaults(); }); describe('Security', () => { diff --git a/x-pack/test/functional/apps/security/secure_roles_perm.ts b/x-pack/test/functional/apps/security/secure_roles_perm.ts index c9e7bb6e4da6c..9788712a6207c 100644 --- a/x-pack/test/functional/apps/security/secure_roles_perm.ts +++ b/x-pack/test/functional/apps/security/secure_roles_perm.ts @@ -24,11 +24,13 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { const browser = getService('browser'); const kibanaServer = getService('kibanaServer'); const testSubjects = getService('testSubjects'); + const security = getService('security'); describe('secure roles and permissions', function () { before(async () => { await browser.setWindowSize(1600, 1000); log.debug('users'); + await security.testUser.setRoles(['cluster_security_manager', 'kibana_admin']); await esArchiver.loadIfNeeded('x-pack/test/functional/es_archives/logstash_functional'); log.debug('load kibana index with default index pattern'); await kibanaServer.importExport.load( @@ -92,6 +94,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { await kibanaServer.importExport.unload( 'x-pack/test/functional/fixtures/kbn_archiver/security/discover' ); + await security.testUser.restoreDefaults(); }); }); } diff --git a/x-pack/test/functional/apps/security/user_email.ts b/x-pack/test/functional/apps/security/user_email.ts index 65bf111ceedbf..f7878543bf3e7 100644 --- a/x-pack/test/functional/apps/security/user_email.ts +++ b/x-pack/test/functional/apps/security/user_email.ts @@ -12,6 +12,7 @@ import { FtrProviderContext } from '../../ftr_provider_context'; export default function ({ getService, getPageObjects }: FtrProviderContext) { const PageObjects = getPageObjects(['security', 'settings', 'common', 'accountSetting']); const log = getService('log'); + const security = getService('security'); const kibanaServer = getService('kibanaServer'); describe('useremail', function () { @@ -19,6 +20,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { await kibanaServer.importExport.load( 'x-pack/test/functional/fixtures/kbn_archiver/security/discover' ); + await security.testUser.setRoles(['cluster_security_manager']); await PageObjects.settings.navigateTo(); await PageObjects.security.clickElasticsearchUsers(); }); @@ -63,6 +65,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { await kibanaServer.importExport.unload( 'x-pack/test/functional/fixtures/kbn_archiver/security/discover' ); + await security.testUser.restoreDefaults(); }); }); } diff --git a/x-pack/test/functional/apps/security/users.ts b/x-pack/test/functional/apps/security/users.ts index 8448750bf1ccd..04c405b09407c 100644 --- a/x-pack/test/functional/apps/security/users.ts +++ b/x-pack/test/functional/apps/security/users.ts @@ -17,6 +17,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { const retry = getService('retry'); const toasts = getService('toasts'); const browser = getService('browser'); + const security = getService('security'); function isCloudEnvironment() { return config.get('servers.elasticsearch.hostname') !== 'localhost'; @@ -30,8 +31,13 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { roles: ['superuser'], }; + after(async () => { + await security.testUser.restoreDefaults(); + }); + before(async () => { log.debug('users'); + await security.testUser.setRoles(['cluster_security_manager']); await PageObjects.settings.navigateTo(); await PageObjects.security.clickElasticsearchUsers(); }); diff --git a/x-pack/test/functional/config.base.js b/x-pack/test/functional/config.base.js index e422b0ca67657..b7e58ba13b151 100644 --- a/x-pack/test/functional/config.base.js +++ b/x-pack/test/functional/config.base.js @@ -15,7 +15,7 @@ import { pageObjects } from './page_objects'; // example: https://beats-ci.elastic.co/blue/organizations/jenkins/Ingest-manager%2Fpackage-storage/detail/snapshot/74/pipeline/257#step-302-log-1. // It should be updated any time there is a new Docker image published for the Snapshot Distribution of the Package Registry. export const dockerImage = - 'docker.elastic.co/package-registry/distribution:e1a3906e0c9944ecade05308022ba35eb0ebd00a'; + 'docker.elastic.co/package-registry/distribution:93ffe45d8c4ae11365bc70b1038643121049b9fe'; // the default export of config files must be a config provider // that returns an object with the projects config values @@ -480,6 +480,20 @@ export default async function ({ readConfigFile }) { }, }, + cluster_security_manager: { + elasticsearch: { + cluster: ['manage_security'], + }, + kibana: [ + { + feature: { + advancedSettings: ['read'], + }, + spaces: ['*'], + }, + ], + }, + ccr_user: { elasticsearch: { cluster: ['manage', 'manage_ccr'], diff --git a/x-pack/test/functional/es_archives/cases/default/mappings.json b/x-pack/test/functional/es_archives/cases/default/mappings.json index 28d9daff50d94..c25603894011e 100644 --- a/x-pack/test/functional/es_archives/cases/default/mappings.json +++ b/x-pack/test/functional/es_archives/cases/default/mappings.json @@ -298,13 +298,8 @@ } }, "type": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" + "ignore_above": 256, + "type": "keyword" }, "updated_at": { "type": "date" diff --git a/x-pack/test/functional/es_archives/kubernetes_security/process_events/data.json b/x-pack/test/functional/es_archives/kubernetes_security/process_events/data.json new file mode 100644 index 0000000000000..61be25aaa7809 --- /dev/null +++ b/x-pack/test/functional/es_archives/kubernetes_security/process_events/data.json @@ -0,0 +1,200 @@ +{ + "type": "doc", + "value": { + "index": "kubernetes-test-index", + "id": "1", + "source": { + "event.kind" : "event", + "@timestamp": "2020-12-16T15:16:18.570Z", + "message": "hello world 1", + "orchestrator.namespace": "namespace", + "container.image.name": "debian11" + } + } +} + +{ + "type": "doc", + "value": { + "index": "kubernetes-test-index", + "id": "2", + "source": { + "event.kind" : "event", + "@timestamp": "2020-12-16T15:16:18.570Z", + "message": "hello world 1", + "orchestrator.namespace": "namespace", + "container.image.name": "debian11" + } + } +} + +{ + "type": "doc", + "value": { + "index": "kubernetes-test-index", + "id": "3", + "source": { + "event.kind" : "event", + "@timestamp": "2020-12-16T15:16:19.570Z", + "message": "hello world 1", + "orchestrator.namespace": "namespace02", + "container.image.name": "debian11" + } + } +} + +{ + "type": "doc", + "value": { + "index": "kubernetes-test-index", + "id": "4", + "source": { + "event.kind" : "event", + "@timestamp": "2020-12-16T15:16:20.570Z", + "message": "hello world security", + "orchestrator.namespace": "namespace02", + "container.image.name": "debian11" + } + } +} + +{ + "type": "doc", + "value": { + "index": "kubernetes-test-index", + "id": "5", + "source": { + "event.kind" : "event", + "@timestamp": "2020-12-16T15:16:21.570Z", + "message": "hello world security", + "orchestrator.namespace": "namespace03", + "container.image.name": "debian11" + } + } +} + +{ + "type": "doc", + "value": { + "index": "kubernetes-test-index", + "id": "6", + "source": { + "@timestamp": "2020-12-16T15:16:22.570Z", + "message": "hello world security", + "orchestrator.namespace": "namespace03", + "container.image.name": "debian11" + } + } +} + +{ + "type": "doc", + "value": { + "index": "kubernetes-test-index", + "id": "7", + "source": { + "@timestamp": "2020-12-16T15:16:23.570Z", + "message": "hello world security", + "orchestrator.namespace": "namespace04", + "container.image.name": "debian11" + } + } +} + +{ + "type": "doc", + "value": { + "index": "kubernetes-test-index", + "id": "8", + "source": { + "@timestamp": "2020-12-16T15:16:24.570Z", + "message": "hello world security", + "orchestrator.namespace": "namespace05", + "container.image.name": "debian11" + } + } +} + +{ + "type": "doc", + "value": { + "index": "kubernetes-test-index", + "id": "9", + "source": { + "@timestamp": "2020-12-16T15:16:25.570Z", + "message": "hello world security", + "orchestrator.namespace": "namespace06", + "container.image.name": "debian11" + } + } +} + +{ + "type": "doc", + "value": { + "index": "kubernetes-test-index", + "id": "10", + "source": { + "@timestamp": "2020-12-16T15:16:26.570Z", + "message": "hello world security", + "orchestrator.namespace": "namespace07", + "container.image.name": "debian11" + } + } +} + +{ + "type": "doc", + "value": { + "index": "kubernetes-test-index", + "id": "11", + "source": { + "@timestamp": "2020-12-16T15:16:27.570Z", + "message": "hello world security", + "orchestrator.namespace": "namespace08", + "container.image.name": "debian11" + } + } +} + +{ + "type": "doc", + "value": { + "index": "kubernetes-test-index", + "id": "12", + "source": { + "@timestamp": "2020-12-16T15:16:28.570Z", + "message": "hello world security", + "orchestrator.namespace": "namespace09", + "container.image.name": "debian11" + } + } +} + +{ + "type": "doc", + "value": { + "index": "kubernetes-test-index", + "id": "13", + "source": { + "@timestamp": "2020-12-16T15:16:29.570Z", + "message": "hello world security", + "orchestrator.namespace": "namespace10", + "container.image.name": "debian11" + } + } +} + +{ + "type": "doc", + "value": { + "index": "kubernetes-test-index", + "id": "14", + "source": { + "@timestamp": "2020-12-16T15:16:30.570Z", + "message": "hello world security", + "orchestrator.namespace": "namespace11", + "container.image.name": "debian11" + } + } +} diff --git a/x-pack/test/functional/es_archives/kubernetes_security/process_events/mappings.json b/x-pack/test/functional/es_archives/kubernetes_security/process_events/mappings.json new file mode 100644 index 0000000000000..c8440e22a211f --- /dev/null +++ b/x-pack/test/functional/es_archives/kubernetes_security/process_events/mappings.json @@ -0,0 +1,28 @@ +{ + "type": "index", + "value": { + "index": "kubernetes-test-index", + "mappings": { + "properties": { + "message": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "orchestrator.namespace": { + "type": "keyword", + "ignore_above": 256 + }, + "container.image.name": { + "type": "keyword", + "ignore_above": 256 + } + } + } + } +} + diff --git a/x-pack/test/functional/es_archives/reporting/unmapped_fields/data.json b/x-pack/test/functional/es_archives/reporting/unmapped_fields/data.json new file mode 100644 index 0000000000000..9df8b1c012e86 --- /dev/null +++ b/x-pack/test/functional/es_archives/reporting/unmapped_fields/data.json @@ -0,0 +1,25 @@ +{ + "type": "doc", + "value": { + "id": "1", + "index": "recipes", + "source": { + "text":"text1", + "unmapped": "unmapped1" + } + } +} + +{ + "type": "doc", + "value": { + "id": "2", + "index": "recipes", + "source": { + "text":"text2", + "nested": { + "unmapped": "unmapped2" + } + } + } +} diff --git a/x-pack/test/functional/es_archives/reporting/unmapped_fields/mappings.json b/x-pack/test/functional/es_archives/reporting/unmapped_fields/mappings.json new file mode 100644 index 0000000000000..f7cf22b6e4198 --- /dev/null +++ b/x-pack/test/functional/es_archives/reporting/unmapped_fields/mappings.json @@ -0,0 +1,14 @@ +{ + "type": "index", + "value": { + "index": "recipes", + "mappings": { + "dynamic": false, + "properties": { + "text": { + "type": "text" + } + } + } + } +} diff --git a/x-pack/test/functional/es_archives/session_view/alerts/data.json.gz b/x-pack/test/functional/es_archives/session_view/alerts/data.json.gz new file mode 100644 index 0000000000000..126c4b1ee006d Binary files /dev/null and b/x-pack/test/functional/es_archives/session_view/alerts/data.json.gz differ diff --git a/x-pack/test/functional/es_archives/session_view/alerts/mappings.json b/x-pack/test/functional/es_archives/session_view/alerts/mappings.json new file mode 100644 index 0000000000000..ada228ec8e799 --- /dev/null +++ b/x-pack/test/functional/es_archives/session_view/alerts/mappings.json @@ -0,0 +1,5251 @@ +{ + "type": "index", + "value": { + "aliases": { + ".alerts-security.alerts-default": { + "is_write_index": true + }, + ".siem-signals-default": { + "is_write_index": false + } + }, + "index": ".internal.alerts-security.alerts-default", + "mappings": { + "_meta": { + "kibana": { + "version": "8.3.0" + }, + "namespace": "default" + }, + "dynamic": "false", + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "type": "keyword" + } + } + }, + "ephemeral_id": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "client": { + "properties": { + "address": { + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "continent_name": { + "type": "keyword" + }, + "country_iso_code": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "region_iso_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "type": "keyword" + }, + "subdomain": { + "type": "keyword" + }, + "top_level_domain": { + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "type": "keyword" + }, + "email": { + "type": "keyword" + }, + "full_name": { + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "hash": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "roles": { + "type": "keyword" + } + } + } + } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "availability_zone": { + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "account": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "availability_zone": { + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "provider": { + "type": "keyword" + }, + "region": { + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "type": "keyword" + } + } + } + } + }, + "project": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "provider": { + "type": "keyword" + }, + "region": { + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "type": "keyword" + } + } + }, + "target": { + "properties": { + "account": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "availability_zone": { + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "provider": { + "type": "keyword" + }, + "region": { + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "type": "keyword" + } + } + } + } + } + } + }, + "container": { + "properties": { + "id": { + "type": "keyword" + }, + "image": { + "properties": { + "name": { + "type": "keyword" + }, + "tag": { + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "name": { + "type": "keyword" + }, + "runtime": { + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "address": { + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "continent_name": { + "type": "keyword" + }, + "country_iso_code": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "region_iso_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "type": "keyword" + }, + "subdomain": { + "type": "keyword" + }, + "top_level_domain": { + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "type": "keyword" + }, + "email": { + "type": "keyword" + }, + "full_name": { + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "hash": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "roles": { + "type": "keyword" + } + } + } + } + }, + "dll": { + "properties": { + "code_signature": { + "properties": { + "digest_algorithm": { + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "type": "keyword" + }, + "status": { + "type": "keyword" + }, + "subject_name": { + "type": "keyword" + }, + "team_id": { + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "hash": { + "properties": { + "md5": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + }, + "sha256": { + "type": "keyword" + }, + "sha512": { + "type": "keyword" + }, + "ssdeep": { + "type": "keyword" + } + } + }, + "name": { + "type": "keyword" + }, + "path": { + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "type": "keyword" + }, + "company": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "file_version": { + "type": "keyword" + }, + "imphash": { + "type": "keyword" + }, + "original_file_name": { + "type": "keyword" + }, + "product": { + "type": "keyword" + } + } + } + } + }, + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "type": "keyword" + }, + "data": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "type": "keyword" + } + } + }, + "header_flags": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "op_code": { + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "registered_domain": { + "type": "keyword" + }, + "subdomain": { + "type": "keyword" + }, + "top_level_domain": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "ecs": { + "properties": { + "version": { + "type": "keyword" + } + } + }, + "error": { + "properties": { + "code": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "message": { + "type": "match_only_text" + }, + "stack_trace": { + "type": "wildcard" + }, + "type": { + "type": "keyword" + } + } + }, + "event": { + "properties": { + "action": { + "type": "keyword" + }, + "agent_id_status": { + "type": "keyword" + }, + "category": { + "type": "keyword" + }, + "code": { + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "type": "keyword" + }, + "module": { + "type": "keyword" + }, + "original": { + "type": "keyword" + }, + "outcome": { + "type": "keyword" + }, + "provider": { + "type": "keyword" + }, + "reason": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "url": { + "type": "keyword" + } + } + }, + "faas": { + "properties": { + "coldstart": { + "type": "boolean" + }, + "execution": { + "type": "keyword" + }, + "trigger": { + "properties": { + "request_id": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + }, + "type": "nested" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "type": "keyword" + }, + "status": { + "type": "keyword" + }, + "subject_name": { + "type": "keyword" + }, + "team_id": { + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "type": "keyword" + }, + "directory": { + "type": "keyword" + }, + "drive_letter": { + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "type": "keyword" + }, + "byte_order": { + "type": "keyword" + }, + "cpu_type": { + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "type": "keyword" + }, + "class": { + "type": "keyword" + }, + "data": { + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "type": "keyword" + }, + "os_abi": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "physical_offset": { + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "type": "keyword" + }, + "telfhash": { + "type": "keyword" + } + } + }, + "extension": { + "type": "keyword" + }, + "fork_name": { + "type": "keyword" + }, + "gid": { + "type": "keyword" + }, + "group": { + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + }, + "sha256": { + "type": "keyword" + }, + "sha512": { + "type": "keyword" + }, + "ssdeep": { + "type": "keyword" + } + } + }, + "inode": { + "type": "keyword" + }, + "mime_type": { + "type": "keyword" + }, + "mode": { + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "type": "keyword" + }, + "owner": { + "type": "keyword" + }, + "path": { + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "type": "keyword" + }, + "company": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "file_version": { + "type": "keyword" + }, + "imphash": { + "type": "keyword" + }, + "original_file_name": { + "type": "keyword" + }, + "product": { + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "uid": { + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "type": "keyword" + }, + "public_key_curve": { + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "type": "keyword" + }, + "signature_algorithm": { + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "version_number": { + "type": "keyword" + } + } + } + } + }, + "group": { + "properties": { + "domain": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "host": { + "properties": { + "architecture": { + "type": "keyword" + }, + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "domain": { + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "continent_name": { + "type": "keyword" + }, + "country_iso_code": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "region_iso_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + } + } + }, + "hostname": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + } + } + }, + "os": { + "properties": { + "family": { + "type": "keyword" + }, + "full": { + "type": "keyword" + }, + "kernel": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "platform": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "type": { + "type": "keyword" + }, + "uptime": { + "type": "long" + } + } + }, + "http": { + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "type": "wildcard" + } + } + }, + "bytes": { + "type": "long" + }, + "id": { + "type": "keyword" + }, + "method": { + "type": "keyword" + }, + "mime_type": { + "type": "keyword" + }, + "referrer": { + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "type": "wildcard" + } + } + }, + "bytes": { + "type": "long" + }, + "mime_type": { + "type": "keyword" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "type": "keyword" + } + } + }, + "kibana": { + "properties": { + "alert": { + "properties": { + "action_group": { + "type": "keyword" + }, + "ancestors": { + "properties": { + "depth": { + "type": "long" + }, + "id": { + "type": "keyword" + }, + "index": { + "type": "keyword" + }, + "rule": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "building_block_type": { + "type": "keyword" + }, + "depth": { + "type": "long" + }, + "duration": { + "properties": { + "us": { + "type": "long" + } + } + }, + "end": { + "type": "date" + }, + "group": { + "properties": { + "id": { + "type": "keyword" + }, + "index": { + "type": "integer" + } + } + }, + "original_event": { + "properties": { + "action": { + "type": "keyword" + }, + "agent_id_status": { + "type": "keyword" + }, + "category": { + "type": "keyword" + }, + "code": { + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "type": "keyword" + }, + "duration": { + "type": "keyword" + }, + "end": { + "type": "date" + }, + "hash": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "type": "keyword" + }, + "module": { + "type": "keyword" + }, + "original": { + "type": "keyword" + }, + "outcome": { + "type": "keyword" + }, + "provider": { + "type": "keyword" + }, + "reason": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "url": { + "type": "keyword" + } + } + }, + "original_time": { + "type": "date" + }, + "reason": { + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "rule": { + "properties": { + "author": { + "type": "keyword" + }, + "building_block_type": { + "type": "keyword" + }, + "category": { + "type": "keyword" + }, + "consumer": { + "type": "keyword" + }, + "created_at": { + "type": "date" + }, + "created_by": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "enabled": { + "type": "keyword" + }, + "exceptions_list": { + "type": "object" + }, + "execution": { + "properties": { + "uuid": { + "type": "keyword" + } + } + }, + "false_positives": { + "type": "keyword" + }, + "from": { + "type": "keyword" + }, + "immutable": { + "type": "keyword" + }, + "interval": { + "type": "keyword" + }, + "license": { + "type": "keyword" + }, + "max_signals": { + "type": "long" + }, + "name": { + "type": "keyword" + }, + "note": { + "type": "keyword" + }, + "parameters": { + "ignore_above": 4096, + "type": "flattened" + }, + "producer": { + "type": "keyword" + }, + "references": { + "type": "keyword" + }, + "rule_id": { + "type": "keyword" + }, + "rule_name_override": { + "type": "keyword" + }, + "rule_type_id": { + "type": "keyword" + }, + "tags": { + "type": "keyword" + }, + "threat": { + "properties": { + "framework": { + "type": "keyword" + }, + "tactic": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + } + } + } + } + } + } + }, + "timeline_id": { + "type": "keyword" + }, + "timeline_title": { + "type": "keyword" + }, + "timestamp_override": { + "type": "keyword" + }, + "to": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "updated_at": { + "type": "date" + }, + "updated_by": { + "type": "keyword" + }, + "uuid": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "severity": { + "type": "keyword" + }, + "start": { + "type": "date" + }, + "status": { + "type": "keyword" + }, + "system_status": { + "type": "keyword" + }, + "threshold_result": { + "properties": { + "cardinality": { + "properties": { + "field": { + "type": "keyword" + }, + "value": { + "type": "long" + } + } + }, + "count": { + "type": "long" + }, + "from": { + "type": "date" + }, + "terms": { + "properties": { + "field": { + "type": "keyword" + }, + "value": { + "type": "keyword" + } + } + } + } + }, + "uuid": { + "type": "keyword" + }, + "workflow_reason": { + "type": "keyword" + }, + "workflow_status": { + "type": "keyword" + }, + "workflow_user": { + "type": "keyword" + } + } + }, + "space_ids": { + "type": "keyword" + }, + "version": { + "type": "version" + } + } + }, + "labels": { + "type": "object" + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "type": "keyword" + } + } + }, + "level": { + "type": "keyword" + }, + "logger": { + "type": "keyword" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "long" + }, + "name": { + "type": "keyword" + } + } + }, + "function": { + "type": "keyword" + } + } + }, + "syslog": { + "properties": { + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "type": "keyword" + } + } + }, + "priority": { + "type": "long" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "type": "keyword" + } + } + } + } + } + } + }, + "message": { + "type": "match_only_text" + }, + "network": { + "properties": { + "application": { + "type": "keyword" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "type": "keyword" + }, + "direction": { + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "iana_number": { + "type": "keyword" + }, + "inner": { + "properties": { + "vlan": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + } + } + }, + "name": { + "type": "keyword" + }, + "packets": { + "type": "long" + }, + "protocol": { + "type": "keyword" + }, + "transport": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + } + } + }, + "observer": { + "properties": { + "egress": { + "properties": { + "interface": { + "properties": { + "alias": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "zone": { + "type": "keyword" + } + } + }, + "geo": { + "properties": { + "city_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "continent_name": { + "type": "keyword" + }, + "country_iso_code": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "region_iso_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + } + } + }, + "hostname": { + "type": "keyword" + }, + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "zone": { + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "type": "keyword" + }, + "full": { + "type": "keyword" + }, + "kernel": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "platform": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "product": { + "type": "keyword" + }, + "serial_number": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "vendor": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "orchestrator": { + "properties": { + "api_version": { + "type": "keyword" + }, + "cluster": { + "properties": { + "name": { + "type": "keyword" + }, + "url": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "namespace": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "resource": { + "properties": { + "name": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "type": { + "type": "keyword" + } + } + }, + "organization": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "package": { + "properties": { + "architecture": { + "type": "keyword" + }, + "build_version": { + "type": "keyword" + }, + "checksum": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "install_scope": { + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "path": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "process": { + "properties": { + "args": { + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "type": "keyword" + }, + "status": { + "type": "keyword" + }, + "subject_name": { + "type": "keyword" + }, + "team_id": { + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "type": "wildcard" + }, + "elf": { + "properties": { + "architecture": { + "type": "keyword" + }, + "byte_order": { + "type": "keyword" + }, + "cpu_type": { + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "type": "keyword" + }, + "class": { + "type": "keyword" + }, + "data": { + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "type": "keyword" + }, + "os_abi": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "physical_offset": { + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "type": "keyword" + }, + "telfhash": { + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "type": "keyword" + }, + "entry_leader": { + "properties": { + "entity_id": { + "type": "keyword" + } + } + }, + "executable": { + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + }, + "sha256": { + "type": "keyword" + }, + "sha512": { + "type": "keyword" + }, + "ssdeep": { + "type": "keyword" + } + } + }, + "name": { + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "type": "keyword" + }, + "status": { + "type": "keyword" + }, + "subject_name": { + "type": "keyword" + }, + "team_id": { + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "type": "wildcard" + }, + "elf": { + "properties": { + "architecture": { + "type": "keyword" + }, + "byte_order": { + "type": "keyword" + }, + "cpu_type": { + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "type": "keyword" + }, + "class": { + "type": "keyword" + }, + "data": { + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "type": "keyword" + }, + "os_abi": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "physical_offset": { + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "type": "keyword" + }, + "telfhash": { + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "type": "keyword" + }, + "executable": { + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + }, + "sha256": { + "type": "keyword" + }, + "sha512": { + "type": "keyword" + }, + "ssdeep": { + "type": "keyword" + } + } + }, + "name": { + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "type": "keyword" + }, + "company": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "file_version": { + "type": "keyword" + }, + "imphash": { + "type": "keyword" + }, + "original_file_name": { + "type": "keyword" + }, + "product": { + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "type": "keyword" + } + } + }, + "title": { + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "architecture": { + "type": "keyword" + }, + "company": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "file_version": { + "type": "keyword" + }, + "imphash": { + "type": "keyword" + }, + "original_file_name": { + "type": "keyword" + }, + "product": { + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "session_leader": { + "properties": { + "entity_id": { + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "type": "keyword" + } + } + }, + "title": { + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "type": "keyword" + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "type": "keyword" + } + } + }, + "hive": { + "type": "keyword" + }, + "key": { + "type": "keyword" + }, + "path": { + "type": "keyword" + }, + "value": { + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hash": { + "type": "keyword" + }, + "hosts": { + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "type": "keyword" + } + } + }, + "rule": { + "properties": { + "author": { + "type": "keyword" + }, + "category": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "license": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "ruleset": { + "type": "keyword" + }, + "uuid": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "server": { + "properties": { + "address": { + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "continent_name": { + "type": "keyword" + }, + "country_iso_code": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "region_iso_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "type": "keyword" + }, + "subdomain": { + "type": "keyword" + }, + "top_level_domain": { + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "type": "keyword" + }, + "email": { + "type": "keyword" + }, + "full_name": { + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "hash": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "roles": { + "type": "keyword" + } + } + } + } + }, + "service": { + "properties": { + "address": { + "type": "keyword" + }, + "environment": { + "type": "keyword" + }, + "ephemeral_id": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "address": { + "type": "keyword" + }, + "environment": { + "type": "keyword" + }, + "ephemeral_id": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "type": "keyword" + } + } + }, + "state": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "state": { + "type": "keyword" + }, + "target": { + "properties": { + "address": { + "type": "keyword" + }, + "environment": { + "type": "keyword" + }, + "ephemeral_id": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "type": "keyword" + } + } + }, + "state": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "signal": { + "properties": { + "ancestors": { + "properties": { + "depth": { + "path": "kibana.alert.ancestors.depth", + "type": "alias" + }, + "id": { + "path": "kibana.alert.ancestors.id", + "type": "alias" + }, + "index": { + "path": "kibana.alert.ancestors.index", + "type": "alias" + }, + "type": { + "path": "kibana.alert.ancestors.type", + "type": "alias" + } + } + }, + "depth": { + "path": "kibana.alert.depth", + "type": "alias" + }, + "group": { + "properties": { + "id": { + "path": "kibana.alert.group.id", + "type": "alias" + }, + "index": { + "path": "kibana.alert.group.index", + "type": "alias" + } + } + }, + "original_event": { + "properties": { + "action": { + "path": "kibana.alert.original_event.action", + "type": "alias" + }, + "category": { + "path": "kibana.alert.original_event.category", + "type": "alias" + }, + "code": { + "path": "kibana.alert.original_event.code", + "type": "alias" + }, + "created": { + "path": "kibana.alert.original_event.created", + "type": "alias" + }, + "dataset": { + "path": "kibana.alert.original_event.dataset", + "type": "alias" + }, + "duration": { + "path": "kibana.alert.original_event.duration", + "type": "alias" + }, + "end": { + "path": "kibana.alert.original_event.end", + "type": "alias" + }, + "hash": { + "path": "kibana.alert.original_event.hash", + "type": "alias" + }, + "id": { + "path": "kibana.alert.original_event.id", + "type": "alias" + }, + "kind": { + "path": "kibana.alert.original_event.kind", + "type": "alias" + }, + "module": { + "path": "kibana.alert.original_event.module", + "type": "alias" + }, + "outcome": { + "path": "kibana.alert.original_event.outcome", + "type": "alias" + }, + "provider": { + "path": "kibana.alert.original_event.provider", + "type": "alias" + }, + "reason": { + "path": "kibana.alert.original_event.reason", + "type": "alias" + }, + "risk_score": { + "path": "kibana.alert.original_event.risk_score", + "type": "alias" + }, + "risk_score_norm": { + "path": "kibana.alert.original_event.risk_score_norm", + "type": "alias" + }, + "sequence": { + "path": "kibana.alert.original_event.sequence", + "type": "alias" + }, + "severity": { + "path": "kibana.alert.original_event.severity", + "type": "alias" + }, + "start": { + "path": "kibana.alert.original_event.start", + "type": "alias" + }, + "timezone": { + "path": "kibana.alert.original_event.timezone", + "type": "alias" + }, + "type": { + "path": "kibana.alert.original_event.type", + "type": "alias" + } + } + }, + "original_time": { + "path": "kibana.alert.original_time", + "type": "alias" + }, + "reason": { + "path": "kibana.alert.reason", + "type": "alias" + }, + "rule": { + "properties": { + "author": { + "path": "kibana.alert.rule.author", + "type": "alias" + }, + "building_block_type": { + "path": "kibana.alert.building_block_type", + "type": "alias" + }, + "created_at": { + "path": "kibana.alert.rule.created_at", + "type": "alias" + }, + "created_by": { + "path": "kibana.alert.rule.created_by", + "type": "alias" + }, + "description": { + "path": "kibana.alert.rule.description", + "type": "alias" + }, + "enabled": { + "path": "kibana.alert.rule.enabled", + "type": "alias" + }, + "false_positives": { + "path": "kibana.alert.rule.false_positives", + "type": "alias" + }, + "from": { + "path": "kibana.alert.rule.from", + "type": "alias" + }, + "id": { + "path": "kibana.alert.rule.uuid", + "type": "alias" + }, + "immutable": { + "path": "kibana.alert.rule.immutable", + "type": "alias" + }, + "interval": { + "path": "kibana.alert.rule.interval", + "type": "alias" + }, + "license": { + "path": "kibana.alert.rule.license", + "type": "alias" + }, + "max_signals": { + "path": "kibana.alert.rule.max_signals", + "type": "alias" + }, + "name": { + "path": "kibana.alert.rule.name", + "type": "alias" + }, + "note": { + "path": "kibana.alert.rule.note", + "type": "alias" + }, + "references": { + "path": "kibana.alert.rule.references", + "type": "alias" + }, + "risk_score": { + "path": "kibana.alert.risk_score", + "type": "alias" + }, + "rule_id": { + "path": "kibana.alert.rule.rule_id", + "type": "alias" + }, + "rule_name_override": { + "path": "kibana.alert.rule.rule_name_override", + "type": "alias" + }, + "severity": { + "path": "kibana.alert.severity", + "type": "alias" + }, + "tags": { + "path": "kibana.alert.rule.tags", + "type": "alias" + }, + "threat": { + "properties": { + "framework": { + "path": "kibana.alert.rule.threat.framework", + "type": "alias" + }, + "tactic": { + "properties": { + "id": { + "path": "kibana.alert.rule.threat.tactic.id", + "type": "alias" + }, + "name": { + "path": "kibana.alert.rule.threat.tactic.name", + "type": "alias" + }, + "reference": { + "path": "kibana.alert.rule.threat.tactic.reference", + "type": "alias" + } + } + }, + "technique": { + "properties": { + "id": { + "path": "kibana.alert.rule.threat.technique.id", + "type": "alias" + }, + "name": { + "path": "kibana.alert.rule.threat.technique.name", + "type": "alias" + }, + "reference": { + "path": "kibana.alert.rule.threat.technique.reference", + "type": "alias" + }, + "subtechnique": { + "properties": { + "id": { + "path": "kibana.alert.rule.threat.technique.subtechnique.id", + "type": "alias" + }, + "name": { + "path": "kibana.alert.rule.threat.technique.subtechnique.name", + "type": "alias" + }, + "reference": { + "path": "kibana.alert.rule.threat.technique.subtechnique.reference", + "type": "alias" + } + } + } + } + } + } + }, + "timeline_id": { + "path": "kibana.alert.rule.timeline_id", + "type": "alias" + }, + "timeline_title": { + "path": "kibana.alert.rule.timeline_title", + "type": "alias" + }, + "timestamp_override": { + "path": "kibana.alert.rule.timestamp_override", + "type": "alias" + }, + "to": { + "path": "kibana.alert.rule.to", + "type": "alias" + }, + "type": { + "path": "kibana.alert.rule.type", + "type": "alias" + }, + "updated_at": { + "path": "kibana.alert.rule.updated_at", + "type": "alias" + }, + "updated_by": { + "path": "kibana.alert.rule.updated_by", + "type": "alias" + }, + "version": { + "path": "kibana.alert.rule.version", + "type": "alias" + } + } + }, + "status": { + "path": "kibana.alert.workflow_status", + "type": "alias" + }, + "threshold_result": { + "properties": { + "cardinality": { + "properties": { + "field": { + "path": "kibana.alert.threshold_result.cardinality.field", + "type": "alias" + }, + "value": { + "path": "kibana.alert.threshold_result.cardinality.value", + "type": "alias" + } + } + }, + "count": { + "path": "kibana.alert.threshold_result.count", + "type": "alias" + }, + "from": { + "path": "kibana.alert.threshold_result.from", + "type": "alias" + }, + "terms": { + "properties": { + "field": { + "path": "kibana.alert.threshold_result.terms.field", + "type": "alias" + }, + "value": { + "path": "kibana.alert.threshold_result.terms.value", + "type": "alias" + } + } + } + } + } + } + }, + "source": { + "properties": { + "address": { + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "continent_name": { + "type": "keyword" + }, + "country_iso_code": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "region_iso_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "type": "keyword" + }, + "subdomain": { + "type": "keyword" + }, + "top_level_domain": { + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "type": "keyword" + }, + "email": { + "type": "keyword" + }, + "full_name": { + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "hash": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "roles": { + "type": "keyword" + } + } + } + } + }, + "span": { + "properties": { + "id": { + "type": "keyword" + } + } + }, + "tags": { + "type": "keyword" + }, + "threat": { + "properties": { + "enrichments": { + "properties": { + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "type": "keyword" + } + } + } + } + }, + "confidence": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "type": "keyword" + }, + "status": { + "type": "keyword" + }, + "subject_name": { + "type": "keyword" + }, + "team_id": { + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "type": "keyword" + }, + "directory": { + "type": "keyword" + }, + "drive_letter": { + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "type": "keyword" + }, + "byte_order": { + "type": "keyword" + }, + "cpu_type": { + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "type": "keyword" + }, + "class": { + "type": "keyword" + }, + "data": { + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "type": "keyword" + }, + "os_abi": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "physical_offset": { + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "type": "keyword" + }, + "telfhash": { + "type": "keyword" + } + } + }, + "extension": { + "type": "keyword" + }, + "fork_name": { + "type": "keyword" + }, + "gid": { + "type": "keyword" + }, + "group": { + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + }, + "sha256": { + "type": "keyword" + }, + "sha512": { + "type": "keyword" + }, + "ssdeep": { + "type": "keyword" + } + } + }, + "inode": { + "type": "keyword" + }, + "mime_type": { + "type": "keyword" + }, + "mode": { + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "type": "keyword" + }, + "owner": { + "type": "keyword" + }, + "path": { + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "type": "keyword" + }, + "company": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "file_version": { + "type": "keyword" + }, + "imphash": { + "type": "keyword" + }, + "original_file_name": { + "type": "keyword" + }, + "product": { + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "uid": { + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "type": "keyword" + }, + "public_key_curve": { + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "type": "keyword" + }, + "signature_algorithm": { + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "version_number": { + "type": "keyword" + } + } + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "continent_name": { + "type": "keyword" + }, + "country_iso_code": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "region_iso_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "port": { + "type": "long" + }, + "provider": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "type": "keyword" + } + } + }, + "hive": { + "type": "keyword" + }, + "key": { + "type": "keyword" + }, + "path": { + "type": "keyword" + }, + "value": { + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "type": "keyword" + }, + "extension": { + "type": "keyword" + }, + "fragment": { + "type": "keyword" + }, + "full": { + "type": "wildcard" + }, + "original": { + "type": "wildcard" + }, + "password": { + "type": "keyword" + }, + "path": { + "type": "wildcard" + }, + "port": { + "type": "long" + }, + "query": { + "type": "keyword" + }, + "registered_domain": { + "type": "keyword" + }, + "scheme": { + "type": "keyword" + }, + "subdomain": { + "type": "keyword" + }, + "top_level_domain": { + "type": "keyword" + }, + "username": { + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "type": "keyword" + }, + "public_key_curve": { + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "type": "keyword" + }, + "signature_algorithm": { + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "version_number": { + "type": "keyword" + } + } + } + } + }, + "matched": { + "properties": { + "atomic": { + "type": "keyword" + }, + "field": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "index": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + } + }, + "type": "nested" + }, + "framework": { + "type": "keyword" + }, + "group": { + "properties": { + "alias": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + } + } + }, + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "type": "keyword" + } + } + } + } + }, + "confidence": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "type": "keyword" + }, + "status": { + "type": "keyword" + }, + "subject_name": { + "type": "keyword" + }, + "team_id": { + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "type": "keyword" + }, + "directory": { + "type": "keyword" + }, + "drive_letter": { + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "type": "keyword" + }, + "byte_order": { + "type": "keyword" + }, + "cpu_type": { + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "type": "keyword" + }, + "class": { + "type": "keyword" + }, + "data": { + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "type": "keyword" + }, + "os_abi": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "physical_offset": { + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "type": "keyword" + }, + "telfhash": { + "type": "keyword" + } + } + }, + "extension": { + "type": "keyword" + }, + "fork_name": { + "type": "keyword" + }, + "gid": { + "type": "keyword" + }, + "group": { + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + }, + "sha256": { + "type": "keyword" + }, + "sha512": { + "type": "keyword" + }, + "ssdeep": { + "type": "keyword" + } + } + }, + "inode": { + "type": "keyword" + }, + "mime_type": { + "type": "keyword" + }, + "mode": { + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "type": "keyword" + }, + "owner": { + "type": "keyword" + }, + "path": { + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "type": "keyword" + }, + "company": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "file_version": { + "type": "keyword" + }, + "imphash": { + "type": "keyword" + }, + "original_file_name": { + "type": "keyword" + }, + "product": { + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "uid": { + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "type": "keyword" + }, + "public_key_curve": { + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "type": "keyword" + }, + "signature_algorithm": { + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "version_number": { + "type": "keyword" + } + } + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "continent_name": { + "type": "keyword" + }, + "country_iso_code": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "region_iso_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "port": { + "type": "long" + }, + "provider": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "type": "keyword" + } + } + }, + "hive": { + "type": "keyword" + }, + "key": { + "type": "keyword" + }, + "path": { + "type": "keyword" + }, + "value": { + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "type": "keyword" + }, + "extension": { + "type": "keyword" + }, + "fragment": { + "type": "keyword" + }, + "full": { + "type": "wildcard" + }, + "original": { + "type": "wildcard" + }, + "password": { + "type": "keyword" + }, + "path": { + "type": "wildcard" + }, + "port": { + "type": "long" + }, + "query": { + "type": "keyword" + }, + "registered_domain": { + "type": "keyword" + }, + "scheme": { + "type": "keyword" + }, + "subdomain": { + "type": "keyword" + }, + "top_level_domain": { + "type": "keyword" + }, + "username": { + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "type": "keyword" + }, + "public_key_curve": { + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "type": "keyword" + }, + "signature_algorithm": { + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "version_number": { + "type": "keyword" + } + } + } + } + }, + "software": { + "properties": { + "alias": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "platforms": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "tactic": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + } + } + } + } + } + } + }, + "tls": { + "properties": { + "cipher": { + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "type": "keyword" + }, + "certificate_chain": { + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + }, + "sha256": { + "type": "keyword" + } + } + }, + "issuer": { + "type": "keyword" + }, + "ja3": { + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "type": "keyword" + }, + "subject": { + "type": "keyword" + }, + "supported_ciphers": { + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "type": "keyword" + }, + "public_key_curve": { + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "type": "keyword" + }, + "signature_algorithm": { + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "version_number": { + "type": "keyword" + } + } + } + } + }, + "curve": { + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "type": "keyword" + }, + "certificate_chain": { + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + }, + "sha256": { + "type": "keyword" + } + } + }, + "issuer": { + "type": "keyword" + }, + "ja3s": { + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "type": "keyword" + }, + "public_key_curve": { + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "type": "keyword" + }, + "signature_algorithm": { + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "version_number": { + "type": "keyword" + } + } + } + } + }, + "version": { + "type": "keyword" + }, + "version_protocol": { + "type": "keyword" + } + } + }, + "trace": { + "properties": { + "id": { + "type": "keyword" + } + } + }, + "transaction": { + "properties": { + "id": { + "type": "keyword" + } + } + }, + "url": { + "properties": { + "domain": { + "type": "keyword" + }, + "extension": { + "type": "keyword" + }, + "fragment": { + "type": "keyword" + }, + "full": { + "type": "wildcard" + }, + "original": { + "type": "wildcard" + }, + "password": { + "type": "keyword" + }, + "path": { + "type": "wildcard" + }, + "port": { + "type": "long" + }, + "query": { + "type": "keyword" + }, + "registered_domain": { + "type": "keyword" + }, + "scheme": { + "type": "keyword" + }, + "subdomain": { + "type": "keyword" + }, + "top_level_domain": { + "type": "keyword" + }, + "username": { + "type": "keyword" + } + } + }, + "user": { + "properties": { + "changes": { + "properties": { + "domain": { + "type": "keyword" + }, + "email": { + "type": "keyword" + }, + "full_name": { + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "hash": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "roles": { + "type": "keyword" + } + } + }, + "domain": { + "type": "keyword" + }, + "effective": { + "properties": { + "domain": { + "type": "keyword" + }, + "email": { + "type": "keyword" + }, + "full_name": { + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "hash": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "roles": { + "type": "keyword" + } + } + }, + "email": { + "type": "keyword" + }, + "full_name": { + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "hash": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "roles": { + "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "type": "keyword" + }, + "email": { + "type": "keyword" + }, + "full_name": { + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "hash": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "roles": { + "type": "keyword" + } + } + } + } + }, + "user_agent": { + "properties": { + "device": { + "properties": { + "name": { + "type": "keyword" + } + } + }, + "name": { + "type": "keyword" + }, + "original": { + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "type": "keyword" + }, + "full": { + "type": "keyword" + }, + "kernel": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "platform": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "version": { + "type": "keyword" + } + } + }, + "vulnerability": { + "properties": { + "category": { + "type": "keyword" + }, + "classification": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "enumeration": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "report_id": { + "type": "keyword" + }, + "scanner": { + "properties": { + "vendor": { + "type": "keyword" + } + } + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "type": "keyword" + } + } + }, + "severity": { + "type": "keyword" + } + } + } + } + }, + "settings": { + "index": { + "hidden": "true", + "lifecycle": { + "name": ".alerts-ilm-policy", + "rollover_alias": ".alerts-security.alerts-default" + }, + "mapping": { + "total_fields": { + "limit": "1700" + } + }, + "number_of_replicas": "1", + "number_of_shards": "1" + } + } + } +} diff --git a/x-pack/test/functional/es_archives/session_view/process_events/data.json b/x-pack/test/functional/es_archives/session_view/process_events/data.json new file mode 100644 index 0000000000000..312797d5ec3bd --- /dev/null +++ b/x-pack/test/functional/es_archives/session_view/process_events/data.json @@ -0,0 +1,206945 @@ + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "FFWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52066, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY2LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52066, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY2LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:06.6Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304525, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:06.6Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Q+1", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "FVWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52066, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY2LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52067, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:06.6Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304527, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:06.6Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Q+2", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "FlWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52066, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY2LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52067, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:28.9372604Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304529, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:28.9372604Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2Q+9", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "F1Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52066, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY2LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52067, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:28.9403675Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304531, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:28.9403675Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Q+5", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "GFWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52066, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY2LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub3.c-app.cmd.com:443/install/9d01e816ef3195d59ade45a53ac10ed747b9a57f6eba218fa73873eb9bc095d3d90263eb4243b53ccfaebc2dc77a9fba4dd3ceab26a52d6d68138ca3d5a2298e/PRJ-8952/YnBm" + ], + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "same_as_process": true, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52066, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY2LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub3.c-app.cmd.com:443/install/9d01e816ef3195d59ade45a53ac10ed747b9a57f6eba218fa73873eb9bc095d3d90263eb4243b53ccfaebc2dc77a9fba4dd3ceab26a52d6d68138ca3d5a2298e/PRJ-8952/YnBm" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "curl -s -f https://sub3.c-app.cmd.com:443/install/9d01e816ef3195d59ade45a53ac10ed747b9a57f6eba218fa73873eb9bc095d3d90263eb4243b53ccfaebc2dc77a9fba4dd3ceab26a52d6d68138ca3d5a2298e/PRJ-8952/YnBm", + "hash": { + "sha1": "a11d9aa4d8655b2837e1b74460dbde18e3fe32b2", + "sha256": "a3ec2a59824f42d64f6ed6f3026a3f92a6f6017077853ee29f055efaeb1d5455", + "md5": "fd39da18fe71abe77532a98ed3539e1a" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:28.9406982Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304533, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:28.9406982Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Q+6", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "GVWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52066, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY2LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub3.c-app.cmd.com:443/install/9d01e816ef3195d59ade45a53ac10ed747b9a57f6eba218fa73873eb9bc095d3d90263eb4243b53ccfaebc2dc77a9fba4dd3ceab26a52d6d68138ca3d5a2298e/PRJ-8952/YnBm" + ], + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52067, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:29.0215735Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304535, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:29.0215735Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2Q/j", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "GlWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52066, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY2LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub3.c-app.cmd.com:443/install/9d01e816ef3195d59ade45a53ac10ed747b9a57f6eba218fa73873eb9bc095d3d90263eb4243b53ccfaebc2dc77a9fba4dd3ceab26a52d6d68138ca3d5a2298e/PRJ-8952/YnBm" + ], + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52067, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:29.0219945Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304537, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:29.0219945Z", + "kind": "event", + "module": "endpoint", + "action": "gid_change", + "id": "MbEL/BDTBn1bDrQw++++2Q/l", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "G1Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52066, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY2LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub3.c-app.cmd.com:443/install/9d01e816ef3195d59ade45a53ac10ed747b9a57f6eba218fa73873eb9bc095d3d90263eb4243b53ccfaebc2dc77a9fba4dd3ceab26a52d6d68138ca3d5a2298e/PRJ-8952/YnBm" + ], + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52067, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "daemon", + "id": 1 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:29.0224192Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304539, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:29.0224192Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2Q/o", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "daemon", + "id": 1 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "HFWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52066, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY2LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub3.c-app.cmd.com:443/install/9d01e816ef3195d59ade45a53ac10ed747b9a57f6eba218fa73873eb9bc095d3d90263eb4243b53ccfaebc2dc77a9fba4dd3ceab26a52d6d68138ca3d5a2298e/PRJ-8952/YnBm" + ], + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52067, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:29.0237925Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304541, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:29.0237925Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2Q/r", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "HVWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52066, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY2LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub3.c-app.cmd.com:443/install/9d01e816ef3195d59ade45a53ac10ed747b9a57f6eba218fa73873eb9bc095d3d90263eb4243b53ccfaebc2dc77a9fba4dd3ceab26a52d6d68138ca3d5a2298e/PRJ-8952/YnBm" + ], + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52067, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "daemon", + "id": 1 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:29.0281526Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304543, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:29.0281526Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2Q/x", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "daemon", + "id": 1 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "HlWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52066, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY2LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub3.c-app.cmd.com:443/install/9d01e816ef3195d59ade45a53ac10ed747b9a57f6eba218fa73873eb9bc095d3d90263eb4243b53ccfaebc2dc77a9fba4dd3ceab26a52d6d68138ca3d5a2298e/PRJ-8952/YnBm" + ], + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52067, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:29.0292163Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304545, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:29.0292163Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2Q0+", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "H1Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52066, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY2LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub3.c-app.cmd.com:443/install/9d01e816ef3195d59ade45a53ac10ed747b9a57f6eba218fa73873eb9bc095d3d90263eb4243b53ccfaebc2dc77a9fba4dd3ceab26a52d6d68138ca3d5a2298e/PRJ-8952/YnBm" + ], + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52067, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:29.0338594Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304547, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:29.0338594Z", + "kind": "event", + "module": "endpoint", + "action": "gid_change", + "id": "MbEL/BDTBn1bDrQw++++2Q06", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "IFWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52066, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY2LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub3.c-app.cmd.com:443/install/9d01e816ef3195d59ade45a53ac10ed747b9a57f6eba218fa73873eb9bc095d3d90263eb4243b53ccfaebc2dc77a9fba4dd3ceab26a52d6d68138ca3d5a2298e/PRJ-8952/YnBm" + ], + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52067, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:29.0342621Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304549, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:29.0342621Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2Q08", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "IVWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52066, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY2LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub3.c-app.cmd.com:443/install/9d01e816ef3195d59ade45a53ac10ed747b9a57f6eba218fa73873eb9bc095d3d90263eb4243b53ccfaebc2dc77a9fba4dd3ceab26a52d6d68138ca3d5a2298e/PRJ-8952/YnBm" + ], + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52067, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:29.0350467Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304551, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:29.0350467Z", + "kind": "event", + "module": "endpoint", + "action": "gid_change", + "id": "MbEL/BDTBn1bDrQw++++2Q0B", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "IlWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52066, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY2LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub3.c-app.cmd.com:443/install/9d01e816ef3195d59ade45a53ac10ed747b9a57f6eba218fa73873eb9bc095d3d90263eb4243b53ccfaebc2dc77a9fba4dd3ceab26a52d6d68138ca3d5a2298e/PRJ-8952/YnBm" + ], + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52067, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:29.0378041Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304553, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:29.0378041Z", + "kind": "event", + "module": "endpoint", + "action": "gid_change", + "id": "MbEL/BDTBn1bDrQw++++2Q0I", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "I1Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52066, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY2LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub3.c-app.cmd.com:443/install/9d01e816ef3195d59ade45a53ac10ed747b9a57f6eba218fa73873eb9bc095d3d90263eb4243b53ccfaebc2dc77a9fba4dd3ceab26a52d6d68138ca3d5a2298e/PRJ-8952/YnBm" + ], + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52067, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:29.0387439Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304555, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:29.0387439Z", + "kind": "event", + "module": "endpoint", + "action": "gid_change", + "id": "MbEL/BDTBn1bDrQw++++2Q0M", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "JFWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52066, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY2LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub3.c-app.cmd.com:443/install/9d01e816ef3195d59ade45a53ac10ed747b9a57f6eba218fa73873eb9bc095d3d90263eb4243b53ccfaebc2dc77a9fba4dd3ceab26a52d6d68138ca3d5a2298e/PRJ-8952/YnBm" + ], + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52067, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:29.0423934Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304557, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:29.0423934Z", + "kind": "event", + "module": "endpoint", + "action": "gid_change", + "id": "MbEL/BDTBn1bDrQw++++2Q0X", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "J1Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52066, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY2LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub3.c-app.cmd.com:443/install/9d01e816ef3195d59ade45a53ac10ed747b9a57f6eba218fa73873eb9bc095d3d90263eb4243b53ccfaebc2dc77a9fba4dd3ceab26a52d6d68138ca3d5a2298e/PRJ-8952/YnBm" + ], + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52066, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY2LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub3.c-app.cmd.com:443/install/9d01e816ef3195d59ade45a53ac10ed747b9a57f6eba218fa73873eb9bc095d3d90263eb4243b53ccfaebc2dc77a9fba4dd3ceab26a52d6d68138ca3d5a2298e/PRJ-8952/YnBm" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "curl -s -f https://sub3.c-app.cmd.com:443/install/9d01e816ef3195d59ade45a53ac10ed747b9a57f6eba218fa73873eb9bc095d3d90263eb4243b53ccfaebc2dc77a9fba4dd3ceab26a52d6d68138ca3d5a2298e/PRJ-8952/YnBm", + "hash": { + "sha1": "a11d9aa4d8655b2837e1b74460dbde18e3fe32b2", + "sha256": "a3ec2a59824f42d64f6ed6f3026a3f92a6f6017077853ee29f055efaeb1d5455", + "md5": "fd39da18fe71abe77532a98ed3539e1a" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:29.4345464Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304563, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:29.4345464Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Q1Q", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "KFWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52067, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.005291Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304565, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.005291Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2Q1z", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "KVWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52067, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.0059753Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304567, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.0059753Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2Q20", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "KlWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52067, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.0138619Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304569, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.0138619Z", + "kind": "event", + "module": "endpoint", + "action": "gid_change", + "id": "MbEL/BDTBn1bDrQw++++2Q2D", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "K1Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52067, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:08.71Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304571, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:08.71Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Q2d", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "LFWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52067, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.0424061Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304573, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.0424061Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2Q2m", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "LVWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52067, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52066 + }, + "previous": [ + { + "args": [ + "sudo", + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/sudo" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.0520639Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304575, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.0520639Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Q2o", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "LlWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.76Z", + "pid": 52070, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDcwLTEzMjk2NDkxMDQ4Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:08.76Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304577, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:08.76Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Q3M", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "L1Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52066 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.76Z", + "pid": 52070, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDcwLTEzMjk2NDkxMDQ4Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/uname", + "args": [ + "uname", + "-s" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "uname", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "uname -s", + "hash": { + "sha1": "1eaf15b8b801cce1cbd3a5c4c9bbdffdd59599e0", + "sha256": "4c376e391461cc13fe4d66f0060197e2ee920ffce8a6334d7a6b2ebdcc6cd31f", + "md5": "ab2c3332885647313dbc160a329fd0f5" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.0788151Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304579, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.0788151Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Q3O", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "MFWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.76Z", + "pid": 52070, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDcwLTEzMjk2NDkxMDQ4Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/uname", + "args": [ + "uname", + "-s" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "uname", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "uname -s", + "hash": { + "sha1": "1eaf15b8b801cce1cbd3a5c4c9bbdffdd59599e0", + "sha256": "4c376e391461cc13fe4d66f0060197e2ee920ffce8a6334d7a6b2ebdcc6cd31f", + "md5": "ab2c3332885647313dbc160a329fd0f5" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.0820438Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304581, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.0820438Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Q3T", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "MVWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.76Z", + "pid": 52071, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDcxLTEzMjk2NDkxMDQ4Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:08.76Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304583, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:08.76Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Q3U", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "MlWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52066 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.76Z", + "pid": 52071, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDcxLTEzMjk2NDkxMDQ4Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/id", + "args": [ + "id", + "-u" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "id", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "id -u", + "hash": { + "sha1": "02339fec9524a489db7f552ebd82a6130266e0db", + "sha256": "f0c0a70a1bd13ee3af1a82d85af8230e88ba27763caca91db44557c61ceaabb0", + "md5": "8aa4dbf8064d18cf9117cd9673f2d5ed" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.0832324Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304585, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.0832324Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Q3W", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "M1Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.76Z", + "pid": 52071, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDcxLTEzMjk2NDkxMDQ4Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/id", + "args": [ + "id", + "-u" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "id", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "id -u", + "hash": { + "sha1": "02339fec9524a489db7f552ebd82a6130266e0db", + "sha256": "f0c0a70a1bd13ee3af1a82d85af8230e88ba27763caca91db44557c61ceaabb0", + "md5": "8aa4dbf8064d18cf9117cd9673f2d5ed" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.0866115Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304587, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.0866115Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Q3e", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "NFWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.76Z", + "pid": 52072, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDcyLTEzMjk2NDkxMDQ4Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:08.76Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304589, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:08.76Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Q3f", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "NVWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52066 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.76Z", + "pid": 52072, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDcyLTEzMjk2NDkxMDQ4Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/uname", + "args": [ + "uname", + "-r" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "uname", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "uname -r", + "hash": { + "sha1": "1eaf15b8b801cce1cbd3a5c4c9bbdffdd59599e0", + "sha256": "4c376e391461cc13fe4d66f0060197e2ee920ffce8a6334d7a6b2ebdcc6cd31f", + "md5": "ab2c3332885647313dbc160a329fd0f5" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.0888254Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304591, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.0888254Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Q3h", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "NlWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.76Z", + "pid": 52072, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDcyLTEzMjk2NDkxMDQ4Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/uname", + "args": [ + "uname", + "-r" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "uname", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "uname -r", + "hash": { + "sha1": "1eaf15b8b801cce1cbd3a5c4c9bbdffdd59599e0", + "sha256": "4c376e391461cc13fe4d66f0060197e2ee920ffce8a6334d7a6b2ebdcc6cd31f", + "md5": "ab2c3332885647313dbc160a329fd0f5" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.0908861Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304593, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.0908861Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Q3m", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "N1Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.78Z", + "pid": 52073, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:08.78Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304595, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:08.78Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Q3t", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "OFWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.78Z", + "pid": 52073, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.78Z", + "pid": 52074, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:08.78Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304597, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:08.78Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Q3v", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "OVWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.78Z", + "pid": 52074, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.78Z", + "pid": 52075, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc1LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:08.78Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304599, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:08.78Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Q3x", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "OlWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc1LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.78Z", + "pid": 52075, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc1LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.78Z", + "pid": 52076, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc2LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:08.78Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304601, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:08.78Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Q3z", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "O1Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc1LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.78Z", + "pid": 52075, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc1LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.78Z", + "pid": 52077, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc3LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:08.78Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304603, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:08.78Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Q4+", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "PFWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc1LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.78Z", + "pid": 52075, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc1LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.78Z", + "pid": 52076, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc2LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.112094Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304605, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.112094Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Q41", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "PVWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc1LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.78Z", + "pid": 52075, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc1LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52066 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.78Z", + "pid": 52077, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc3LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "executable": "/usr/bin/tr", + "args": [ + "tr", + "A-Z", + "a-z" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "tr", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "tr A-Z a-z", + "hash": { + "sha1": "f6fcb376d183ebd588e95e71d7bb7a609549af5d", + "sha256": "bd25374cb2f4c51349c3817afd384bdb5e3598d1146305ba654616a1e19e53f9", + "md5": "92af9c32a56307f6d3187c33096dc4a3" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.1127281Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304607, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.1127281Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Q42", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "PlWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc1LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.78Z", + "pid": 52075, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc1LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.78Z", + "pid": 52077, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc3LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "executable": "/usr/bin/tr", + "args": [ + "tr", + "A-Z", + "a-z" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "tr", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "tr A-Z a-z", + "hash": { + "sha1": "f6fcb376d183ebd588e95e71d7bb7a609549af5d", + "sha256": "bd25374cb2f4c51349c3817afd384bdb5e3598d1146305ba654616a1e19e53f9", + "md5": "92af9c32a56307f6d3187c33096dc4a3" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.1141399Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304609, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.1141399Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Q47", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "P1Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.78Z", + "pid": 52074, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.78Z", + "pid": 52075, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc1LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.1147201Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304611, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.1147201Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Q48", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "QFWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.78Z", + "pid": 52074, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.79Z", + "pid": 52078, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc4LTEzMjk2NDkxMDQ4Ljc5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:08.79Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304613, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:08.79Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Q49", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "QVWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc4LTEzMjk2NDkxMDQ4Ljc5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.79Z", + "pid": 52078, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc4LTEzMjk2NDkxMDQ4Ljc5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-10T20:38:31.1209194Z", + "pid": 52079, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc5LTEzMjk2Njg4NzExLjEyMDkxOTQwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.1209194Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304615, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.1209194Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Q4B", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "QlWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc4LTEzMjk2NDkxMDQ4Ljc5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.79Z", + "pid": 52078, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc4LTEzMjk2NDkxMDQ4Ljc5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.79Z", + "pid": 52080, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDgwLTEzMjk2NDkxMDQ4Ljc5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:08.79Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304617, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:08.79Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Q4C", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "Q1Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc4LTEzMjk2NDkxMDQ4Ljc5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.79Z", + "pid": 52078, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc4LTEzMjk2NDkxMDQ4Ljc5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-10T20:38:31.1209194Z", + "pid": 52079, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc5LTEzMjk2Njg4NzExLjEyMDkxOTQwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.1252306Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304619, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.1252306Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Q4F", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "RFWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc4LTEzMjk2NDkxMDQ4Ljc5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.79Z", + "pid": 52078, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc4LTEzMjk2NDkxMDQ4Ljc5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52066 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.79Z", + "pid": 52080, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDgwLTEzMjk2NDkxMDQ4Ljc5MDAwMDAwMA==", + "executable": "/usr/bin/tr", + "args": [ + "tr", + "A-Z", + "a-z" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "tr", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "tr A-Z a-z", + "hash": { + "sha1": "f6fcb376d183ebd588e95e71d7bb7a609549af5d", + "sha256": "bd25374cb2f4c51349c3817afd384bdb5e3598d1146305ba654616a1e19e53f9", + "md5": "92af9c32a56307f6d3187c33096dc4a3" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.1258844Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304621, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.1258844Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Q4G", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "RVWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc4LTEzMjk2NDkxMDQ4Ljc5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.79Z", + "pid": 52078, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc4LTEzMjk2NDkxMDQ4Ljc5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.79Z", + "pid": 52080, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDgwLTEzMjk2NDkxMDQ4Ljc5MDAwMDAwMA==", + "executable": "/usr/bin/tr", + "args": [ + "tr", + "A-Z", + "a-z" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "tr", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "tr A-Z a-z", + "hash": { + "sha1": "f6fcb376d183ebd588e95e71d7bb7a609549af5d", + "sha256": "bd25374cb2f4c51349c3817afd384bdb5e3598d1146305ba654616a1e19e53f9", + "md5": "92af9c32a56307f6d3187c33096dc4a3" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.1281556Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304623, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.1281556Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Q4L", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "RlWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.78Z", + "pid": 52074, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.79Z", + "pid": 52078, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc4LTEzMjk2NDkxMDQ4Ljc5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.1287455Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304625, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.1287455Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Q4M", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "R1Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.78Z", + "pid": 52074, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.81Z", + "pid": 52081, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDgxLTEzMjk2NDkxMDQ4LjgxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:08.81Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304627, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:08.81Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Q4N", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "SFWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDgxLTEzMjk2NDkxMDQ4LjgxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.81Z", + "pid": 52081, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDgxLTEzMjk2NDkxMDQ4LjgxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-10T20:38:31.1349547Z", + "pid": 52082, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDgyLTEzMjk2Njg4NzExLjEzNDk1NDcwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.1349547Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304629, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.1349547Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Q4P", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "SVWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDgxLTEzMjk2NDkxMDQ4LjgxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.81Z", + "pid": 52081, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDgxLTEzMjk2NDkxMDQ4LjgxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.81Z", + "pid": 52083, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDgzLTEzMjk2NDkxMDQ4LjgxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:08.81Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304631, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:08.81Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Q4Q", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "SlWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDgxLTEzMjk2NDkxMDQ4LjgxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.81Z", + "pid": 52081, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDgxLTEzMjk2NDkxMDQ4LjgxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-10T20:38:31.1349547Z", + "pid": 52082, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDgyLTEzMjk2Njg4NzExLjEzNDk1NDcwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.1386328Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304633, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.1386328Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Q4T", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "S1Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDgxLTEzMjk2NDkxMDQ4LjgxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.81Z", + "pid": 52081, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDgxLTEzMjk2NDkxMDQ4LjgxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52066 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.81Z", + "pid": 52083, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDgzLTEzMjk2NDkxMDQ4LjgxMDAwMDAwMA==", + "executable": "/usr/bin/tr", + "args": [ + "tr", + "A-Z", + "a-z" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "tr", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "tr A-Z a-z", + "hash": { + "sha1": "f6fcb376d183ebd588e95e71d7bb7a609549af5d", + "sha256": "bd25374cb2f4c51349c3817afd384bdb5e3598d1146305ba654616a1e19e53f9", + "md5": "92af9c32a56307f6d3187c33096dc4a3" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.1392207Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304635, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.1392207Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Q4U", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "TFWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDgxLTEzMjk2NDkxMDQ4LjgxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.81Z", + "pid": 52081, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDgxLTEzMjk2NDkxMDQ4LjgxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.81Z", + "pid": 52083, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDgzLTEzMjk2NDkxMDQ4LjgxMDAwMDAwMA==", + "executable": "/usr/bin/tr", + "args": [ + "tr", + "A-Z", + "a-z" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "tr", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "tr A-Z a-z", + "hash": { + "sha1": "f6fcb376d183ebd588e95e71d7bb7a609549af5d", + "sha256": "bd25374cb2f4c51349c3817afd384bdb5e3598d1146305ba654616a1e19e53f9", + "md5": "92af9c32a56307f6d3187c33096dc4a3" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.1407189Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304637, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.1407189Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Q4Z", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "TVWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.78Z", + "pid": 52074, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.81Z", + "pid": 52081, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDgxLTEzMjk2NDkxMDQ4LjgxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.1412435Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304639, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.1412435Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Q4a", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "TlWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.78Z", + "pid": 52073, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.78Z", + "pid": 52074, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDc0LTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.1417547Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304641, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.1417547Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Q4b", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "T1Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.78Z", + "pid": 52073, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDczLTEzMjk2NDkxMDQ4Ljc4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.1422544Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304643, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.1422544Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Q4c", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "UFWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.82Z", + "pid": 52084, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg0LTEzMjk2NDkxMDQ4LjgyMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:08.82Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304645, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:08.82Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Q4d", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "UVWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg0LTEzMjk2NDkxMDQ4LjgyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.82Z", + "pid": 52084, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg0LTEzMjk2NDkxMDQ4LjgyMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.82Z", + "pid": 52085, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg1LTEzMjk2NDkxMDQ4LjgyMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:08.82Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304647, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:08.82Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Q4f", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "UlWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg0LTEzMjk2NDkxMDQ4LjgyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.82Z", + "pid": 52084, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg0LTEzMjk2NDkxMDQ4LjgyMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52066 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.82Z", + "pid": 52085, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg1LTEzMjk2NDkxMDQ4LjgyMDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--print-architecture" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg --print-architecture", + "hash": { + "sha1": "923c23ab063b3102e62977a6cde5cfcf3cf3f5a9", + "sha256": "fc268efd3eeb984a8a82f8eff68583ae0ffe33060d2d59ff07b1b24d5791d559", + "md5": "05979fd688347b3c5af19862d71d801a" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.1460651Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304649, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.1460651Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Q4g", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "U1Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg0LTEzMjk2NDkxMDQ4LjgyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.82Z", + "pid": 52084, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg0LTEzMjk2NDkxMDQ4LjgyMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.82Z", + "pid": 52085, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg1LTEzMjk2NDkxMDQ4LjgyMDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--print-architecture" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg --print-architecture", + "hash": { + "sha1": "923c23ab063b3102e62977a6cde5cfcf3cf3f5a9", + "sha256": "fc268efd3eeb984a8a82f8eff68583ae0ffe33060d2d59ff07b1b24d5791d559", + "md5": "05979fd688347b3c5af19862d71d801a" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.1597395Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304651, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.1597395Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Q54", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "VFWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.82Z", + "pid": 52084, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg0LTEzMjk2NDkxMDQ4LjgyMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.1603327Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304653, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.1603327Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Q55", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "VVWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.85Z", + "pid": 52086, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg2LTEzMjk2NDkxMDQ4Ljg1MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:08.85Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304655, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:08.85Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Q5C", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "VlWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52066 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.85Z", + "pid": 52086, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg2LTEzMjk2NDkxMDQ4Ljg1MDAwMDAwMA==", + "executable": "/usr/bin/mkdir", + "args": [ + "mkdir", + "-p", + "/etc/cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "mkdir", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "mkdir -p /etc/cmd", + "hash": { + "sha1": "ee8e9063a9c3a105690de4bc2a796543c40dd9c8", + "sha256": "7c2b4db62a68554a8d889654117bf3841775397295de7402e310d293b15bc413", + "md5": "682f61cbbbd7a2a3820f79616eac9602" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.1701222Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304657, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.1701222Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Q5D", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "V1Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.85Z", + "pid": 52086, + "working_directory": "/etc", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg2LTEzMjk2NDkxMDQ4Ljg1MDAwMDAwMA==", + "executable": "/usr/bin/mkdir", + "args": [ + "mkdir", + "-p", + "/etc/cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "mkdir", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "mkdir -p /etc/cmd", + "hash": { + "sha1": "ee8e9063a9c3a105690de4bc2a796543c40dd9c8", + "sha256": "7c2b4db62a68554a8d889654117bf3841775397295de7402e310d293b15bc413", + "md5": "682f61cbbbd7a2a3820f79616eac9602" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.174287Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304659, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.174287Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Q5M", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "WVWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.86Z", + "pid": 52087, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg3LTEzMjk2NDkxMDQ4Ljg2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:08.86Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304663, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:08.86Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Q5S", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "W1Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52066 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.86Z", + "pid": 52087, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg3LTEzMjk2NDkxMDQ4Ljg2MDAwMDAwMA==", + "executable": "/usr/bin/cat", + "args": [ + "cat" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "cat", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "cat", + "hash": { + "sha1": "eecdba8e7def6c111a084ae6164ffe1697bf4397", + "sha256": "df954abca766aceddd79dd20429e4f222019018667446626d3a641d3c47c50fc", + "md5": "dec1edc9a903636853ed9097faf5bb33" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.1797604Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304667, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.1797604Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Q5W", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "XFWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.86Z", + "pid": 52087, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg3LTEzMjk2NDkxMDQ4Ljg2MDAwMDAwMA==", + "executable": "/usr/bin/cat", + "args": [ + "cat" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "cat", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "cat", + "hash": { + "sha1": "eecdba8e7def6c111a084ae6164ffe1697bf4397", + "sha256": "df954abca766aceddd79dd20429e4f222019018667446626d3a641d3c47c50fc", + "md5": "dec1edc9a903636853ed9097faf5bb33" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.1817684Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304669, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.1817684Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Q5b", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "XVWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.86Z", + "pid": 52088, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg4LTEzMjk2NDkxMDQ4Ljg2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:08.86Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304671, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:08.86Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Q5k", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "XlWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52066 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.86Z", + "pid": 52088, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg4LTEzMjk2NDkxMDQ4Ljg2MDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "d", + "-exec", + "chmod", + "0700", + "{}", + ";" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 9, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type d -exec chmod 0700 {} ;", + "hash": { + "sha1": "c60dfade56e7bda111d764a3aa48017cc8105eeb", + "sha256": "2c6049dde565c4f71a8b2b8ba59d93abee50b763ce4fe0d9d7b63a20f3f5a422", + "md5": "7ca65add76f8b5bcbd7fccd558f65999" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.1890425Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304673, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.1890425Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Q5l", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "X1Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg4LTEzMjk2NDkxMDQ4Ljg2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.86Z", + "pid": 52088, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg4LTEzMjk2NDkxMDQ4Ljg2MDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "d", + "-exec", + "chmod", + "0700", + "{}", + ";" + ], + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 9, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type d -exec chmod 0700 {} ;", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.87Z", + "pid": 52089, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg5LTEzMjk2NDkxMDQ4Ljg3MDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "d", + "-exec", + "chmod", + "0700", + "{}", + ";" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type d -exec chmod 0700 {} ;", + "hash": { + "sha1": "c60dfade56e7bda111d764a3aa48017cc8105eeb", + "sha256": "2c6049dde565c4f71a8b2b8ba59d93abee50b763ce4fe0d9d7b63a20f3f5a422", + "md5": "7ca65add76f8b5bcbd7fccd558f65999" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:08.87Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304675, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:08.87Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Q5u", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "YFWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg4LTEzMjk2NDkxMDQ4Ljg2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.86Z", + "pid": 52088, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg4LTEzMjk2NDkxMDQ4Ljg2MDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "d", + "-exec", + "chmod", + "0700", + "{}", + ";" + ], + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 9, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type d -exec chmod 0700 {} ;", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52066 + }, + "previous": [ + { + "args": [ + "find", + "/etc/cmd", + "-type", + "d", + "-exec", + "chmod", + "0700", + "{}", + ";" + ], + "args_count": 0, + "executable": "/usr/bin/find" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.87Z", + "pid": 52089, + "working_directory": "/proc/filesystems", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg5LTEzMjk2NDkxMDQ4Ljg3MDAwMDAwMA==", + "executable": "/usr/bin/chmod", + "args": [ + "chmod", + "0700", + "/etc/cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "chmod", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "chmod 0700 /etc/cmd", + "hash": { + "sha1": "f44efcf93d286c10450b4bc44053508620c372fd", + "sha256": "a3e141a69b71b7a6b55dee7ff73d0ee8755e90abab427cd6854341221a3b4748", + "md5": "655ee67724359cc2d1d9c523ff284c2b" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.1968893Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304677, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.1968893Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Q5z", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "YVWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg4LTEzMjk2NDkxMDQ4Ljg2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.86Z", + "pid": 52088, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg4LTEzMjk2NDkxMDQ4Ljg2MDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "d", + "-exec", + "chmod", + "0700", + "{}", + ";" + ], + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 9, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type d -exec chmod 0700 {} ;", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "find", + "/etc/cmd", + "-type", + "d", + "-exec", + "chmod", + "0700", + "{}", + ";" + ], + "args_count": 0, + "executable": "/usr/bin/find" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.87Z", + "pid": 52089, + "working_directory": "/proc/filesystems", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg5LTEzMjk2NDkxMDQ4Ljg3MDAwMDAwMA==", + "executable": "/usr/bin/chmod", + "args": [ + "chmod", + "0700", + "/etc/cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "chmod", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "chmod 0700 /etc/cmd", + "hash": { + "sha1": "f44efcf93d286c10450b4bc44053508620c372fd", + "sha256": "a3e141a69b71b7a6b55dee7ff73d0ee8755e90abab427cd6854341221a3b4748", + "md5": "655ee67724359cc2d1d9c523ff284c2b" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.1991264Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304679, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.1991264Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Q62", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "YlWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.86Z", + "pid": 52088, + "working_directory": "/proc/filesystems", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDg4LTEzMjk2NDkxMDQ4Ljg2MDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "d", + "-exec", + "chmod", + "0700", + "{}", + ";" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type d -exec chmod 0700 {} ;", + "hash": { + "sha1": "c60dfade56e7bda111d764a3aa48017cc8105eeb", + "sha256": "2c6049dde565c4f71a8b2b8ba59d93abee50b763ce4fe0d9d7b63a20f3f5a422", + "md5": "7ca65add76f8b5bcbd7fccd558f65999" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.2016255Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304681, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.2016255Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Q67", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "Y1Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.88Z", + "pid": 52090, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDkwLTEzMjk2NDkxMDQ4Ljg4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:08.88Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304683, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:08.88Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Q68", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "ZFWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52066 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.88Z", + "pid": 52090, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDkwLTEzMjk2NDkxMDQ4Ljg4MDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "f", + "-exec", + "chmod", + "0600", + "{}", + ";" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 9, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type f -exec chmod 0600 {} ;", + "hash": { + "sha1": "c60dfade56e7bda111d764a3aa48017cc8105eeb", + "sha256": "2c6049dde565c4f71a8b2b8ba59d93abee50b763ce4fe0d9d7b63a20f3f5a422", + "md5": "7ca65add76f8b5bcbd7fccd558f65999" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.2027341Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304685, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.2027341Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Q69", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "ZVWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDkwLTEzMjk2NDkxMDQ4Ljg4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.88Z", + "pid": 52090, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDkwLTEzMjk2NDkxMDQ4Ljg4MDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "f", + "-exec", + "chmod", + "0600", + "{}", + ";" + ], + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 9, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type f -exec chmod 0600 {} ;", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.89Z", + "pid": 52091, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDkxLTEzMjk2NDkxMDQ4Ljg5MDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "f", + "-exec", + "chmod", + "0600", + "{}", + ";" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type f -exec chmod 0600 {} ;", + "hash": { + "sha1": "c60dfade56e7bda111d764a3aa48017cc8105eeb", + "sha256": "2c6049dde565c4f71a8b2b8ba59d93abee50b763ce4fe0d9d7b63a20f3f5a422", + "md5": "7ca65add76f8b5bcbd7fccd558f65999" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:08.89Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304687, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:08.89Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Q6L", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "ZlWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDkwLTEzMjk2NDkxMDQ4Ljg4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.88Z", + "pid": 52090, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDkwLTEzMjk2NDkxMDQ4Ljg4MDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "f", + "-exec", + "chmod", + "0600", + "{}", + ";" + ], + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 9, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type f -exec chmod 0600 {} ;", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52066 + }, + "previous": [ + { + "args": [ + "find", + "/etc/cmd", + "-type", + "f", + "-exec", + "chmod", + "0600", + "{}", + ";" + ], + "args_count": 0, + "executable": "/usr/bin/find" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.89Z", + "pid": 52091, + "working_directory": "/proc/filesystems", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDkxLTEzMjk2NDkxMDQ4Ljg5MDAwMDAwMA==", + "executable": "/usr/bin/chmod", + "args": [ + "chmod", + "0600", + "/etc/cmd/config.ini" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "chmod", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "chmod 0600 /etc/cmd/config.ini", + "hash": { + "sha1": "f44efcf93d286c10450b4bc44053508620c372fd", + "sha256": "a3e141a69b71b7a6b55dee7ff73d0ee8755e90abab427cd6854341221a3b4748", + "md5": "655ee67724359cc2d1d9c523ff284c2b" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.2163391Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304689, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.2163391Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Q6Q", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "Z1Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDkwLTEzMjk2NDkxMDQ4Ljg4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.88Z", + "pid": 52090, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDkwLTEzMjk2NDkxMDQ4Ljg4MDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "f", + "-exec", + "chmod", + "0600", + "{}", + ";" + ], + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 9, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type f -exec chmod 0600 {} ;", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "find", + "/etc/cmd", + "-type", + "f", + "-exec", + "chmod", + "0600", + "{}", + ";" + ], + "args_count": 0, + "executable": "/usr/bin/find" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.89Z", + "pid": 52091, + "working_directory": "/proc/filesystems", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDkxLTEzMjk2NDkxMDQ4Ljg5MDAwMDAwMA==", + "executable": "/usr/bin/chmod", + "args": [ + "chmod", + "0600", + "/etc/cmd/config.ini" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "chmod", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "chmod 0600 /etc/cmd/config.ini", + "hash": { + "sha1": "f44efcf93d286c10450b4bc44053508620c372fd", + "sha256": "a3e141a69b71b7a6b55dee7ff73d0ee8755e90abab427cd6854341221a3b4748", + "md5": "655ee67724359cc2d1d9c523ff284c2b" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.2182619Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304691, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.2182619Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Q6X", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "aFWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDkwLTEzMjk2NDkxMDQ4Ljg4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.88Z", + "pid": 52090, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDkwLTEzMjk2NDkxMDQ4Ljg4MDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "f", + "-exec", + "chmod", + "0600", + "{}", + ";" + ], + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 9, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type f -exec chmod 0600 {} ;", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.9Z", + "pid": 52092, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDkyLTEzMjk2NDkxMDQ4LjkwMDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "f", + "-exec", + "chmod", + "0600", + "{}", + ";" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type f -exec chmod 0600 {} ;", + "hash": { + "sha1": "c60dfade56e7bda111d764a3aa48017cc8105eeb", + "sha256": "2c6049dde565c4f71a8b2b8ba59d93abee50b763ce4fe0d9d7b63a20f3f5a422", + "md5": "7ca65add76f8b5bcbd7fccd558f65999" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:08.9Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304693, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:08.9Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Q6Z", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "aVWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDkwLTEzMjk2NDkxMDQ4Ljg4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.88Z", + "pid": 52090, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDkwLTEzMjk2NDkxMDQ4Ljg4MDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "f", + "-exec", + "chmod", + "0600", + "{}", + ";" + ], + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 9, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type f -exec chmod 0600 {} ;", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52066 + }, + "previous": [ + { + "args": [ + "find", + "/etc/cmd", + "-type", + "f", + "-exec", + "chmod", + "0600", + "{}", + ";" + ], + "args_count": 0, + "executable": "/usr/bin/find" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.9Z", + "pid": 52092, + "working_directory": "/proc/filesystems", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDkyLTEzMjk2NDkxMDQ4LjkwMDAwMDAwMA==", + "executable": "/usr/bin/chmod", + "args": [ + "chmod", + "0600", + "/etc/cmd/cmd.prj" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "chmod", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "chmod 0600 /etc/cmd/cmd.prj", + "hash": { + "sha1": "f44efcf93d286c10450b4bc44053508620c372fd", + "sha256": "a3e141a69b71b7a6b55dee7ff73d0ee8755e90abab427cd6854341221a3b4748", + "md5": "655ee67724359cc2d1d9c523ff284c2b" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.2216161Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304695, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.2216161Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Q6e", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "alWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDkwLTEzMjk2NDkxMDQ4Ljg4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.88Z", + "pid": 52090, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDkwLTEzMjk2NDkxMDQ4Ljg4MDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "f", + "-exec", + "chmod", + "0600", + "{}", + ";" + ], + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 9, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type f -exec chmod 0600 {} ;", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "find", + "/etc/cmd", + "-type", + "f", + "-exec", + "chmod", + "0600", + "{}", + ";" + ], + "args_count": 0, + "executable": "/usr/bin/find" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.9Z", + "pid": 52092, + "working_directory": "/proc/filesystems", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDkyLTEzMjk2NDkxMDQ4LjkwMDAwMDAwMA==", + "executable": "/usr/bin/chmod", + "args": [ + "chmod", + "0600", + "/etc/cmd/cmd.prj" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "chmod", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "chmod 0600 /etc/cmd/cmd.prj", + "hash": { + "sha1": "f44efcf93d286c10450b4bc44053508620c372fd", + "sha256": "a3e141a69b71b7a6b55dee7ff73d0ee8755e90abab427cd6854341221a3b4748", + "md5": "655ee67724359cc2d1d9c523ff284c2b" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.2258792Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304697, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.2258792Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Q6l", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "a1Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.88Z", + "pid": 52090, + "working_directory": "/proc/filesystems", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDkwLTEzMjk2NDkxMDQ4Ljg4MDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "f", + "-exec", + "chmod", + "0600", + "{}", + ";" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type f -exec chmod 0600 {} ;", + "hash": { + "sha1": "c60dfade56e7bda111d764a3aa48017cc8105eeb", + "sha256": "2c6049dde565c4f71a8b2b8ba59d93abee50b763ce4fe0d9d7b63a20f3f5a422", + "md5": "7ca65add76f8b5bcbd7fccd558f65999" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.2263558Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304699, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.2263558Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Q6n", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "bFWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.92Z", + "pid": 52093, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDkzLTEzMjk2NDkxMDQ4LjkyMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:08.92Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304701, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:08.92Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Q6t", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "bVWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52066 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.92Z", + "pid": 52093, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDkzLTEzMjk2NDkxMDQ4LjkyMDAwMDAwMA==", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-w", + "%{http_code}", + "-H", + "project-key: 9d01e816ef3195d59ade45a53ac10ed747b9a57f6eba218fa73873eb9bc095d3d90263eb4243b53ccfaebc2dc77a9fba4dd3ceab26a52d6d68138ca3d5a2298e", + "https://sub3.c-app.cmd.com/download/cmd?architecture=amd64&format=deb", + "-o", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 9, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "curl -s -w %{http_code} -H project-key: 9d01e816ef3195d59ade45a53ac10ed747b9a57f6eba218fa73873eb9bc095d3d90263eb4243b53ccfaebc2dc77a9fba4dd3ceab26a52d6d68138ca3d5a2298e https://sub3.c-app.cmd.com/download/cmd?architecture=amd64&format=deb -o /tmp/amd64.deb", + "hash": { + "sha1": "a11d9aa4d8655b2837e1b74460dbde18e3fe32b2", + "sha256": "a3ec2a59824f42d64f6ed6f3026a3f92a6f6017077853ee29f055efaeb1d5455", + "md5": "fd39da18fe71abe77532a98ed3539e1a" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:31.2403876Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304703, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:31.2403876Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Q6w", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "cVWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.92Z", + "pid": 52093, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDkzLTEzMjk2NDkxMDQ4LjkyMDAwMDAwMA==", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-w", + "%{http_code}", + "-H", + "project-key: 9d01e816ef3195d59ade45a53ac10ed747b9a57f6eba218fa73873eb9bc095d3d90263eb4243b53ccfaebc2dc77a9fba4dd3ceab26a52d6d68138ca3d5a2298e", + "https://sub3.c-app.cmd.com/download/cmd?architecture=amd64&format=deb", + "-o", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "curl -s -w %{http_code} -H project-key: 9d01e816ef3195d59ade45a53ac10ed747b9a57f6eba218fa73873eb9bc095d3d90263eb4243b53ccfaebc2dc77a9fba4dd3ceab26a52d6d68138ca3d5a2298e https://sub3.c-app.cmd.com/download/cmd?architecture=amd64&format=deb -o /tmp/amd64.deb", + "hash": { + "sha1": "a11d9aa4d8655b2837e1b74460dbde18e3fe32b2", + "sha256": "a3ec2a59824f42d64f6ed6f3026a3f92a6f6017077853ee29f055efaeb1d5455", + "md5": "fd39da18fe71abe77532a98ed3539e1a" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:32.2596286Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304711, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:32.2596286Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Q93", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "clWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.95Z", + "pid": 52095, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:09.95Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304713, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:09.95Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Q98", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "c1Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52066 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.95Z", + "pid": 52095, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "hash": { + "sha1": "923c23ab063b3102e62977a6cde5cfcf3cf3f5a9", + "sha256": "fc268efd3eeb984a8a82f8eff68583ae0ffe33060d2d59ff07b1b24d5791d559", + "md5": "05979fd688347b3c5af19862d71d801a" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:32.2719292Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304715, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:32.2719292Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Q9C", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "dFWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.95Z", + "pid": 52095, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.96Z", + "pid": 52096, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk2LTEzMjk2NDkxMDQ5Ljk2MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "hash": { + "sha1": "923c23ab063b3102e62977a6cde5cfcf3cf3f5a9", + "sha256": "fc268efd3eeb984a8a82f8eff68583ae0ffe33060d2d59ff07b1b24d5791d559", + "md5": "05979fd688347b3c5af19862d71d801a" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:09.96Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304717, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:09.96Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Q9d", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "dVWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.95Z", + "pid": 52095, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52066 + }, + "previous": [ + { + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "args_count": 0, + "executable": "/usr/bin/dpkg" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.96Z", + "pid": 52096, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk2LTEzMjk2NDkxMDQ5Ljk2MDAwMDAwMA==", + "executable": "/usr/bin/sh", + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sh", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)", + "hash": { + "sha1": "7505998e3f5909ee10b0f639b570383881444afd", + "sha256": "abce6efe522d7e7bd8bdf6ecd82eda581a1514f8dea858d700766dc165a79efb", + "md5": "6f0fd9cced2852bc85a2722750ab7d64" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:32.2945453Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304719, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:32.2945453Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Q9k", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "dlWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk2LTEzMjk2NDkxMDQ5Ljk2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.96Z", + "pid": 52096, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk2LTEzMjk2NDkxMDQ5Ljk2MDAwMDAwMA==", + "executable": "/usr/bin/sh", + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "name": "sh", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.98Z", + "pid": 52097, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk3LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==", + "executable": "/usr/bin/sh", + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sh", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)", + "hash": { + "sha1": "7505998e3f5909ee10b0f639b570383881444afd", + "sha256": "abce6efe522d7e7bd8bdf6ecd82eda581a1514f8dea858d700766dc165a79efb", + "md5": "6f0fd9cced2852bc85a2722750ab7d64" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:09.98Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304721, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:09.98Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Q9q", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "d1Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk3LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk2LTEzMjk2NDkxMDQ5Ljk2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.98Z", + "pid": 52097, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk3LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==", + "executable": "/usr/bin/sh", + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "name": "sh", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.98Z", + "pid": 52098, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk4LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==", + "executable": "/usr/bin/sh", + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sh", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)", + "hash": { + "sha1": "7505998e3f5909ee10b0f639b570383881444afd", + "sha256": "abce6efe522d7e7bd8bdf6ecd82eda581a1514f8dea858d700766dc165a79efb", + "md5": "6f0fd9cced2852bc85a2722750ab7d64" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:09.98Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304723, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:09.98Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Q9r", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "eFWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk3LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk2LTEzMjk2NDkxMDQ5Ljk2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.98Z", + "pid": 52097, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk3LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==", + "executable": "/usr/bin/sh", + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "name": "sh", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52066 + }, + "previous": [ + { + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "args_count": 0, + "executable": "/usr/bin/sh" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.98Z", + "pid": 52098, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk4LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==", + "executable": "/usr/lib/needrestart/dpkg-status", + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg-status", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/lib/needrestart/dpkg-status", + "hash": { + "sha1": "0fe299ca0dc229d5d1b10bde1f7d5f5f9423c668", + "sha256": "4ad9f0ab2f8f5eff66c9fbbc2fe9d4588fc820a9dae3f4583f23571656854946", + "md5": "3e3cfb98f92e89c90e99876ce72415b5" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:32.2998726Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304725, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:32.2998726Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Q9s", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "eVWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk4LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk3LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk2LTEzMjk2NDkxMDQ5Ljk2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.98Z", + "pid": 52098, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk4LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==", + "executable": "/usr/lib/needrestart/dpkg-status", + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "name": "dpkg-status", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/lib/needrestart/dpkg-status", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.98Z", + "pid": 52099, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk5LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==", + "executable": "/usr/lib/needrestart/dpkg-status", + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg-status", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/lib/needrestart/dpkg-status", + "hash": { + "sha1": "0fe299ca0dc229d5d1b10bde1f7d5f5f9423c668", + "sha256": "4ad9f0ab2f8f5eff66c9fbbc2fe9d4588fc820a9dae3f4583f23571656854946", + "md5": "3e3cfb98f92e89c90e99876ce72415b5" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:09.98Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304727, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:09.98Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2QA+", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "e1Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk4LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk3LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk2LTEzMjk2NDkxMDQ5Ljk2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.98Z", + "pid": 52098, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk4LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==", + "executable": "/usr/lib/needrestart/dpkg-status", + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "name": "dpkg-status", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/lib/needrestart/dpkg-status", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52066 + }, + "previous": [ + { + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "args_count": 0, + "executable": "/usr/lib/needrestart/dpkg-status" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.98Z", + "pid": 52099, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk5LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==", + "executable": "/usr/bin/mkdir", + "args": [ + "mkdir", + "-p", + "/run/needrestart" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "mkdir", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "mkdir -p /run/needrestart", + "hash": { + "sha1": "ee8e9063a9c3a105690de4bc2a796543c40dd9c8", + "sha256": "7c2b4db62a68554a8d889654117bf3841775397295de7402e310d293b15bc413", + "md5": "682f61cbbbd7a2a3820f79616eac9602" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:32.3105322Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304731, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:32.3105322Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2QA/", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "fFWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk4LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk3LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk2LTEzMjk2NDkxMDQ5Ljk2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.98Z", + "pid": 52098, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk4LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==", + "executable": "/usr/lib/needrestart/dpkg-status", + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "name": "dpkg-status", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/lib/needrestart/dpkg-status", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "args_count": 0, + "executable": "/usr/lib/needrestart/dpkg-status" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.98Z", + "pid": 52099, + "working_directory": "/run", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk5LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==", + "executable": "/usr/bin/mkdir", + "args": [ + "mkdir", + "-p", + "/run/needrestart" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "mkdir", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "mkdir -p /run/needrestart", + "hash": { + "sha1": "ee8e9063a9c3a105690de4bc2a796543c40dd9c8", + "sha256": "7c2b4db62a68554a8d889654117bf3841775397295de7402e310d293b15bc413", + "md5": "682f61cbbbd7a2a3820f79616eac9602" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:32.3266413Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304733, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:32.3266413Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2QAD", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "fVWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.95Z", + "pid": 52095, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.01Z", + "pid": 52100, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTAwLTEzMjk2NDkxMDUwLjEwMDAwMDAw", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "hash": { + "sha1": "923c23ab063b3102e62977a6cde5cfcf3cf3f5a9", + "sha256": "fc268efd3eeb984a8a82f8eff68583ae0ffe33060d2d59ff07b1b24d5791d559", + "md5": "05979fd688347b3c5af19862d71d801a" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:10.01Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304735, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:10.01Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2QAN", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "flWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.95Z", + "pid": 52095, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52066 + }, + "previous": [ + { + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "args_count": 0, + "executable": "/usr/bin/dpkg" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.01Z", + "pid": 52100, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTAwLTEzMjk2NDkxMDUwLjEwMDAwMDAw", + "executable": "/usr/bin/dpkg-split", + "args": [ + "dpkg-split", + "-Qao", + "/var/lib/dpkg/reassemble.deb", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg-split", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 4, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-split -Qao /var/lib/dpkg/reassemble.deb /tmp/amd64.deb", + "hash": { + "sha1": "1164d7ce3e863dfd2a08d525bee81913e977fb45", + "sha256": "5979bd01207b92168c1c5d4c892695baced753fd13b404e4cc4aff35acfcd646", + "md5": "64f52dbd8518a6785de7296d9e76ce72" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:32.3353405Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304737, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:32.3353405Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2QAR", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "f1Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.95Z", + "pid": 52095, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "args_count": 0, + "executable": "/usr/bin/dpkg" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.01Z", + "pid": 52100, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTAwLTEzMjk2NDkxMDUwLjEwMDAwMDAw", + "executable": "/usr/bin/dpkg-split", + "args": [ + "dpkg-split", + "-Qao", + "/var/lib/dpkg/reassemble.deb", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 1, + "name": "dpkg-split", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-split -Qao /var/lib/dpkg/reassemble.deb /tmp/amd64.deb", + "hash": { + "sha1": "1164d7ce3e863dfd2a08d525bee81913e977fb45", + "sha256": "5979bd01207b92168c1c5d4c892695baced753fd13b404e4cc4aff35acfcd646", + "md5": "64f52dbd8518a6785de7296d9e76ce72" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:32.350006Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304739, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:32.350006Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2QAk", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "gFWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.95Z", + "pid": 52095, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.03Z", + "pid": 52101, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTAxLTEzMjk2NDkxMDUwLjMwMDAwMDAw", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "hash": { + "sha1": "923c23ab063b3102e62977a6cde5cfcf3cf3f5a9", + "sha256": "fc268efd3eeb984a8a82f8eff68583ae0ffe33060d2d59ff07b1b24d5791d559", + "md5": "05979fd688347b3c5af19862d71d801a" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:10.03Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304741, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:10.03Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2QAm", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "gVWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.95Z", + "pid": 52095, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52066 + }, + "previous": [ + { + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "args_count": 0, + "executable": "/usr/bin/dpkg" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.03Z", + "pid": 52101, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTAxLTEzMjk2NDkxMDUwLjMwMDAwMDAw", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--control", + "/tmp/amd64.deb", + "/var/lib/dpkg/tmp.ci" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 4, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci", + "hash": { + "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026", + "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e", + "md5": "08ce10552a0339864e66190748f94f13" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:32.3531275Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304743, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:32.3531275Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2QAq", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "glWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTAxLTEzMjk2NDkxMDUwLjMwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.03Z", + "pid": 52101, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTAxLTEzMjk2NDkxMDUwLjMwMDAwMDAw", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--control", + "/tmp/amd64.deb", + "/var/lib/dpkg/tmp.ci" + ], + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 4, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.04Z", + "pid": 52102, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTAyLTEzMjk2NDkxMDUwLjQwMDAwMDAw", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--control", + "/tmp/amd64.deb", + "/var/lib/dpkg/tmp.ci" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci", + "hash": { + "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026", + "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e", + "md5": "08ce10552a0339864e66190748f94f13" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:10.04Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304745, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:10.04Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2QB+", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "g1Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTAxLTEzMjk2NDkxMDUwLjMwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.03Z", + "pid": 52101, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTAxLTEzMjk2NDkxMDUwLjMwMDAwMDAw", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--control", + "/tmp/amd64.deb", + "/var/lib/dpkg/tmp.ci" + ], + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 4, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.04Z", + "pid": 52103, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTAzLTEzMjk2NDkxMDUwLjQwMDAwMDAw", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--control", + "/tmp/amd64.deb", + "/var/lib/dpkg/tmp.ci" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci", + "hash": { + "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026", + "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e", + "md5": "08ce10552a0339864e66190748f94f13" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:10.04Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304747, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:10.04Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2QB/", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "hFWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTAxLTEzMjk2NDkxMDUwLjMwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.03Z", + "pid": 52101, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTAxLTEzMjk2NDkxMDUwLjMwMDAwMDAw", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--control", + "/tmp/amd64.deb", + "/var/lib/dpkg/tmp.ci" + ], + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 4, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.04Z", + "pid": 52104, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTA0LTEzMjk2NDkxMDUwLjQwMDAwMDAw", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--control", + "/tmp/amd64.deb", + "/var/lib/dpkg/tmp.ci" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci", + "hash": { + "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026", + "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e", + "md5": "08ce10552a0339864e66190748f94f13" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:10.04Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304749, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:10.04Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2QB1", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "hVWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTAxLTEzMjk2NDkxMDUwLjMwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.03Z", + "pid": 52101, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTAxLTEzMjk2NDkxMDUwLjMwMDAwMDAw", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--control", + "/tmp/amd64.deb", + "/var/lib/dpkg/tmp.ci" + ], + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 4, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.04Z", + "pid": 52102, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTAyLTEzMjk2NDkxMDUwLjQwMDAwMDAw", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--control", + "/tmp/amd64.deb", + "/var/lib/dpkg/tmp.ci" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci", + "hash": { + "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026", + "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e", + "md5": "08ce10552a0339864e66190748f94f13" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:32.3773898Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304751, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:32.3773898Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2QB0", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "hlWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTAxLTEzMjk2NDkxMDUwLjMwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.03Z", + "pid": 52101, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTAxLTEzMjk2NDkxMDUwLjMwMDAwMDAw", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--control", + "/tmp/amd64.deb", + "/var/lib/dpkg/tmp.ci" + ], + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 4, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52066 + }, + "previous": [ + { + "args": [ + "dpkg-deb", + "--control", + "/tmp/amd64.deb", + "/var/lib/dpkg/tmp.ci" + ], + "args_count": 0, + "executable": "/usr/bin/dpkg-deb" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.04Z", + "pid": 52104, + "working_directory": "/var/lib/dpkg/tmp.ci", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTA0LTEzMjk2NDkxMDUwLjQwMDAwMDAw", + "executable": "/usr/bin/tar", + "args": [ + "tar", + "-x", + "-f", + "-", + "--warning=no-timestamp" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "tar", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 5, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "tar -x -f - --warning=no-timestamp", + "hash": { + "sha1": "18c40bff8f913e7a8cf46c9d0ff489335bd3d3aa", + "sha256": "a6b2054c8231d8973f2626ef66c2f9681cb0a27c5fc616df49eb0436a93399dd", + "md5": "083e87381a0b156ad66758ff2ba87f57" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:32.3797501Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304753, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:32.3797501Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2QBE", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "h1Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTAxLTEzMjk2NDkxMDUwLjMwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.03Z", + "pid": 52101, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTAxLTEzMjk2NDkxMDUwLjMwMDAwMDAw", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--control", + "/tmp/amd64.deb", + "/var/lib/dpkg/tmp.ci" + ], + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 4, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.04Z", + "pid": 52103, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTAzLTEzMjk2NDkxMDUwLjQwMDAwMDAw", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--control", + "/tmp/amd64.deb", + "/var/lib/dpkg/tmp.ci" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci", + "hash": { + "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026", + "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e", + "md5": "08ce10552a0339864e66190748f94f13" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:32.3815406Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304755, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:32.3815406Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2QBO", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "jVWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTAxLTEzMjk2NDkxMDUwLjMwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.03Z", + "pid": 52101, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTAxLTEzMjk2NDkxMDUwLjMwMDAwMDAw", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--control", + "/tmp/amd64.deb", + "/var/lib/dpkg/tmp.ci" + ], + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 4, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "dpkg-deb", + "--control", + "/tmp/amd64.deb", + "/var/lib/dpkg/tmp.ci" + ], + "args_count": 0, + "executable": "/usr/bin/dpkg-deb" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.04Z", + "pid": 52104, + "working_directory": "/var/lib/dpkg/tmp.ci", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTA0LTEzMjk2NDkxMDUwLjQwMDAwMDAw", + "executable": "/usr/bin/tar", + "args": [ + "tar", + "-x", + "-f", + "-", + "--warning=no-timestamp" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "tar", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "tar -x -f - --warning=no-timestamp", + "hash": { + "sha1": "18c40bff8f913e7a8cf46c9d0ff489335bd3d3aa", + "sha256": "a6b2054c8231d8973f2626ef66c2f9681cb0a27c5fc616df49eb0436a93399dd", + "md5": "083e87381a0b156ad66758ff2ba87f57" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:32.3937668Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304767, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:32.3937668Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2QBm", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "jlWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.95Z", + "pid": 52095, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "args_count": 0, + "executable": "/usr/bin/dpkg" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.03Z", + "pid": 52101, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTAxLTEzMjk2NDkxMDUwLjMwMDAwMDAw", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--control", + "/tmp/amd64.deb", + "/var/lib/dpkg/tmp.ci" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci", + "hash": { + "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026", + "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e", + "md5": "08ce10552a0339864e66190748f94f13" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:32.3985228Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304769, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:32.3985228Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2QC+", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "kVWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.95Z", + "pid": 52095, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.64Z", + "pid": 52105, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTA1LTEzMjk2NDkxMDUwLjY0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "hash": { + "sha1": "923c23ab063b3102e62977a6cde5cfcf3cf3f5a9", + "sha256": "fc268efd3eeb984a8a82f8eff68583ae0ffe33060d2d59ff07b1b24d5791d559", + "md5": "05979fd688347b3c5af19862d71d801a" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:10.64Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304775, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:10.64Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2QYq", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "klWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.95Z", + "pid": 52095, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52066 + }, + "previous": [ + { + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "args_count": 0, + "executable": "/usr/bin/dpkg" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.64Z", + "pid": 52105, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTA1LTEzMjk2NDkxMDUwLjY0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--fsys-tarfile", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --fsys-tarfile /tmp/amd64.deb", + "hash": { + "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026", + "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e", + "md5": "08ce10552a0339864e66190748f94f13" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:32.9659415Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304777, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:32.9659415Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2QYv", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "k1Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTA1LTEzMjk2NDkxMDUwLjY0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.64Z", + "pid": 52105, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTA1LTEzMjk2NDkxMDUwLjY0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--fsys-tarfile", + "/tmp/amd64.deb" + ], + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --fsys-tarfile /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.65Z", + "pid": 52106, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTA2LTEzMjk2NDkxMDUwLjY1MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--fsys-tarfile", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --fsys-tarfile /tmp/amd64.deb", + "hash": { + "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026", + "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e", + "md5": "08ce10552a0339864e66190748f94f13" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:10.65Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304779, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:10.65Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2QZ3", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "lFWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTA1LTEzMjk2NDkxMDUwLjY0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.64Z", + "pid": 52105, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTA1LTEzMjk2NDkxMDUwLjY0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--fsys-tarfile", + "/tmp/amd64.deb" + ], + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --fsys-tarfile /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.65Z", + "pid": 52107, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTA3LTEzMjk2NDkxMDUwLjY1MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--fsys-tarfile", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --fsys-tarfile /tmp/amd64.deb", + "hash": { + "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026", + "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e", + "md5": "08ce10552a0339864e66190748f94f13" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:10.65Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304781, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:10.65Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2QZ4", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "l1Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTA1LTEzMjk2NDkxMDUwLjY0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.64Z", + "pid": 52105, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTA1LTEzMjk2NDkxMDUwLjY0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--fsys-tarfile", + "/tmp/amd64.deb" + ], + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --fsys-tarfile /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.65Z", + "pid": 52106, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTA2LTEzMjk2NDkxMDUwLjY1MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--fsys-tarfile", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --fsys-tarfile /tmp/amd64.deb", + "hash": { + "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026", + "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e", + "md5": "08ce10552a0339864e66190748f94f13" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:33.0692338Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304787, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:33.0692338Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2QZd", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "nFWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTA1LTEzMjk2NDkxMDUwLjY0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.64Z", + "pid": 52105, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTA1LTEzMjk2NDkxMDUwLjY0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--fsys-tarfile", + "/tmp/amd64.deb" + ], + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --fsys-tarfile /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.65Z", + "pid": 52107, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTA3LTEzMjk2NDkxMDUwLjY1MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--fsys-tarfile", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --fsys-tarfile /tmp/amd64.deb", + "hash": { + "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026", + "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e", + "md5": "08ce10552a0339864e66190748f94f13" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:33.0866795Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304797, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:33.0866795Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2QZu", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "nVWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.95Z", + "pid": 52095, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "args_count": 0, + "executable": "/usr/bin/dpkg" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.64Z", + "pid": 52105, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTA1LTEzMjk2NDkxMDUwLjY0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--fsys-tarfile", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --fsys-tarfile /tmp/amd64.deb", + "hash": { + "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026", + "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e", + "md5": "08ce10552a0339864e66190748f94f13" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:33.089086Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304799, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:33.089086Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2QZx", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "rFWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk4LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk3LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk2LTEzMjk2NDkxMDQ5Ljk2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.98Z", + "pid": 52098, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk4LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==", + "executable": "/usr/lib/needrestart/dpkg-status", + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "name": "dpkg-status", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/lib/needrestart/dpkg-status", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.8Z", + "pid": 52108, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTA4LTEzMjk2NDkxMDUwLjgwMDAwMDAwMA==", + "executable": "/usr/lib/needrestart/dpkg-status", + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg-status", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/lib/needrestart/dpkg-status", + "hash": { + "sha1": "0fe299ca0dc229d5d1b10bde1f7d5f5f9423c668", + "sha256": "4ad9f0ab2f8f5eff66c9fbbc2fe9d4588fc820a9dae3f4583f23571656854946", + "md5": "3e3cfb98f92e89c90e99876ce72415b5" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:10.8Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304829, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:10.8Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Qag", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "rVWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk4LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk3LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk2LTEzMjk2NDkxMDQ5Ljk2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.98Z", + "pid": 52098, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk4LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==", + "executable": "/usr/lib/needrestart/dpkg-status", + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "name": "dpkg-status", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/lib/needrestart/dpkg-status", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52066 + }, + "previous": [ + { + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "args_count": 0, + "executable": "/usr/lib/needrestart/dpkg-status" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.8Z", + "pid": 52108, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTA4LTEzMjk2NDkxMDUwLjgwMDAwMDAwMA==", + "executable": "/usr/bin/touch", + "args": [ + "touch", + "/run/needrestart/unpacked" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "touch", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "touch /run/needrestart/unpacked", + "hash": { + "sha1": "2fbc3bb2cf887bd8edcb9177d40e9576c55f5719", + "sha256": "a7558a34447cbcbe7af2951d3c435d3b65bfdd5e9225df1a99970a592378fab0", + "md5": "6942c7b2fccc8bedf025b6f4a59d7242" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:33.1295264Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304831, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:33.1295264Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Qah", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "r1Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk4LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk3LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk2LTEzMjk2NDkxMDQ5Ljk2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.98Z", + "pid": 52098, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk4LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==", + "executable": "/usr/lib/needrestart/dpkg-status", + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "name": "dpkg-status", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/lib/needrestart/dpkg-status", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "args_count": 0, + "executable": "/usr/lib/needrestart/dpkg-status" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.8Z", + "pid": 52108, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTA4LTEzMjk2NDkxMDUwLjgwMDAwMDAwMA==", + "executable": "/usr/bin/touch", + "args": [ + "touch", + "/run/needrestart/unpacked" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "touch", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "touch /run/needrestart/unpacked", + "hash": { + "sha1": "2fbc3bb2cf887bd8edcb9177d40e9576c55f5719", + "sha256": "a7558a34447cbcbe7af2951d3c435d3b65bfdd5e9225df1a99970a592378fab0", + "md5": "6942c7b2fccc8bedf025b6f4a59d7242" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:33.1366171Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304835, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:33.1366171Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Qaq", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "s1Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.95Z", + "pid": 52095, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.83Z", + "pid": 52109, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTA5LTEzMjk2NDkxMDUwLjgzMDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "hash": { + "sha1": "923c23ab063b3102e62977a6cde5cfcf3cf3f5a9", + "sha256": "fc268efd3eeb984a8a82f8eff68583ae0ffe33060d2d59ff07b1b24d5791d559", + "md5": "05979fd688347b3c5af19862d71d801a" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:10.83Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304843, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:10.83Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2QbC", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "tFWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.95Z", + "pid": 52095, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52066 + }, + "previous": [ + { + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "args_count": 0, + "executable": "/usr/bin/dpkg" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.83Z", + "pid": 52109, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTA5LTEzMjk2NDkxMDUwLjgzMDAwMDAwMA==", + "executable": "/usr/bin/rm", + "args": [ + "rm", + "-rf", + "--", + "/var/lib/dpkg/tmp.ci" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "rm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 4, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "rm -rf -- /var/lib/dpkg/tmp.ci", + "hash": { + "sha1": "9a9c6ac47473c3cea788677944bfa8139a65de4a", + "sha256": "12995632e92637107ade569f0646704afd6ad112bc4fd5e8d433428876e725a2", + "md5": "293c386a9257f691787b3baa83876321" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:33.1530953Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304845, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:33.1530953Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2QbG", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "t1Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.95Z", + "pid": 52095, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "args_count": 0, + "executable": "/usr/bin/dpkg" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.83Z", + "pid": 52109, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTA5LTEzMjk2NDkxMDUwLjgzMDAwMDAwMA==", + "executable": "/usr/bin/rm", + "args": [ + "rm", + "-rf", + "--", + "/var/lib/dpkg/tmp.ci" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "rm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "rm -rf -- /var/lib/dpkg/tmp.ci", + "hash": { + "sha1": "9a9c6ac47473c3cea788677944bfa8139a65de4a", + "sha256": "12995632e92637107ade569f0646704afd6ad112bc4fd5e8d433428876e725a2", + "md5": "293c386a9257f691787b3baa83876321" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:33.1589496Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304851, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:33.1589496Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2QbQ", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "xVWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.95Z", + "pid": 52095, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.89Z", + "pid": 52110, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTEwLTEzMjk2NDkxMDUwLjg5MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "hash": { + "sha1": "923c23ab063b3102e62977a6cde5cfcf3cf3f5a9", + "sha256": "fc268efd3eeb984a8a82f8eff68583ae0ffe33060d2d59ff07b1b24d5791d559", + "md5": "05979fd688347b3c5af19862d71d801a" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:10.89Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304879, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:10.89Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2QcO", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "xlWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.95Z", + "pid": 52095, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52066 + }, + "previous": [ + { + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "args_count": 0, + "executable": "/usr/bin/dpkg" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.89Z", + "pid": 52110, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTEwLTEzMjk2NDkxMDUwLjg5MDAwMDAwMA==", + "executable": "/var/lib/dpkg/info/cmd.postinst", + "args": [ + "/bin/sh", + "/var/lib/dpkg/info/cmd.postinst", + "configure", + "" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "cmd.postinst", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 4, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /var/lib/dpkg/info/cmd.postinst configure ", + "hash": { + "sha1": "dd8c652bab9cfd7c2a81796014e7223277c48281", + "sha256": "2f9581444bd16ae4436f37cd3f995193778a055b953082e02c0f62c8d146ccb0", + "md5": "01bd3f90082b37dc6c16ec39f6d71f90" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:33.2135403Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304881, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:33.2135403Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2QcQ", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "x1Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.95Z", + "pid": 52095, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "args_count": 0, + "executable": "/usr/bin/dpkg" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.89Z", + "pid": 52110, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTEwLTEzMjk2NDkxMDUwLjg5MDAwMDAwMA==", + "executable": "/var/lib/dpkg/info/cmd.postinst", + "args": [ + "/bin/sh", + "/var/lib/dpkg/info/cmd.postinst", + "configure", + "" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "cmd.postinst", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /var/lib/dpkg/info/cmd.postinst configure ", + "hash": { + "sha1": "dd8c652bab9cfd7c2a81796014e7223277c48281", + "sha256": "2f9581444bd16ae4436f37cd3f995193778a055b953082e02c0f62c8d146ccb0", + "md5": "01bd3f90082b37dc6c16ec39f6d71f90" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:33.2199347Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304883, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:33.2199347Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Qcb", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "11Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.95Z", + "pid": 52095, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "hash": { + "sha1": "923c23ab063b3102e62977a6cde5cfcf3cf3f5a9", + "sha256": "fc268efd3eeb984a8a82f8eff68583ae0ffe33060d2d59ff07b1b24d5791d559", + "md5": "05979fd688347b3c5af19862d71d801a" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:33.2534032Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304915, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:33.2534032Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Qd/", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "2FWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk3LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk2LTEzMjk2NDkxMDQ5Ljk2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.98Z", + "pid": 52097, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk3LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==", + "executable": "/usr/bin/sh", + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "name": "sh", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "args_count": 0, + "executable": "/usr/bin/sh" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.98Z", + "pid": 52098, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk4LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==", + "executable": "/usr/lib/needrestart/dpkg-status", + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "dpkg-status", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/lib/needrestart/dpkg-status", + "hash": { + "sha1": "0fe299ca0dc229d5d1b10bde1f7d5f5f9423c668", + "sha256": "4ad9f0ab2f8f5eff66c9fbbc2fe9d4588fc820a9dae3f4583f23571656854946", + "md5": "3e3cfb98f92e89c90e99876ce72415b5" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:33.2537046Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304917, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:33.2537046Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Qd0", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "2VWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.93Z", + "pid": 52111, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTExLTEzMjk2NDkxMDUwLjkzMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:10.93Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304919, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:10.93Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Qd1", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "2lWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk2LTEzMjk2NDkxMDQ5Ljk2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.96Z", + "pid": 52096, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk2LTEzMjk2NDkxMDQ5Ljk2MDAwMDAwMA==", + "executable": "/usr/bin/sh", + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "name": "sh", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.98Z", + "pid": 52097, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk3LTEzMjk2NDkxMDQ5Ljk4MDAwMDAwMA==", + "executable": "/usr/bin/sh", + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "sh", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)", + "hash": { + "sha1": "7505998e3f5909ee10b0f639b570383881444afd", + "sha256": "abce6efe522d7e7bd8bdf6ecd82eda581a1514f8dea858d700766dc165a79efb", + "md5": "6f0fd9cced2852bc85a2722750ab7d64" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:33.2575084Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304921, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:33.2575084Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Qd2", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "21Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.95Z", + "pid": 52095, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk1LTEzMjk2NDkxMDQ5Ljk1MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "args_count": 0, + "executable": "/usr/bin/dpkg" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:09.96Z", + "pid": 52096, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDk2LTEzMjk2NDkxMDQ5Ljk2MDAwMDAwMA==", + "executable": "/usr/bin/sh", + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "sh", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)", + "hash": { + "sha1": "7505998e3f5909ee10b0f639b570383881444afd", + "sha256": "abce6efe522d7e7bd8bdf6ecd82eda581a1514f8dea858d700766dc165a79efb", + "md5": "6f0fd9cced2852bc85a2722750ab7d64" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:33.2577396Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304923, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:33.2577396Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Qd4", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "3FWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52066 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.93Z", + "pid": 52111, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTExLTEzMjk2NDkxMDUwLjkzMDAwMDAwMA==", + "executable": "/usr/bin/rm", + "args": [ + "rm", + "-f", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "rm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "rm -f /tmp/amd64.deb", + "hash": { + "sha1": "9a9c6ac47473c3cea788677944bfa8139a65de4a", + "sha256": "12995632e92637107ade569f0646704afd6ad112bc4fd5e8d433428876e725a2", + "md5": "293c386a9257f691787b3baa83876321" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:33.2579821Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304925, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:33.2579821Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Qd3", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "3lWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.93Z", + "pid": 52111, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTExLTEzMjk2NDkxMDUwLjkzMDAwMDAwMA==", + "executable": "/usr/bin/rm", + "args": [ + "rm", + "-f", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "rm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "rm -f /tmp/amd64.deb", + "hash": { + "sha1": "9a9c6ac47473c3cea788677944bfa8139a65de4a", + "sha256": "12995632e92637107ade569f0646704afd6ad112bc4fd5e8d433428876e725a2", + "md5": "293c386a9257f691787b3baa83876321" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:33.2615295Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304929, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:33.2615295Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2QdE", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "31Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.94Z", + "pid": 52112, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTEyLTEzMjk2NDkxMDUwLjk0MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:10.94Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304931, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:10.94Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2QdF", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "4FWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.94Z", + "pid": 52112, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTEyLTEzMjk2NDkxMDUwLjk0MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 1, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:33.2730833Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304933, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:33.2730833Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Qdb", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "4VWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.96Z", + "pid": 52113, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTEzLTEzMjk2NDkxMDUwLjk2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:10.96Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304935, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:10.96Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Qdf", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "4lWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTEzLTEzMjk2NDkxMDUwLjk2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.96Z", + "pid": 52113, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTEzLTEzMjk2NDkxMDUwLjk2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.96Z", + "pid": 52114, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTE0LTEzMjk2NDkxMDUwLjk2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:10.96Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304937, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:10.96Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Qdh", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "41Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTEzLTEzMjk2NDkxMDUwLjk2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.96Z", + "pid": 52113, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTEzLTEzMjk2NDkxMDUwLjk2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52066 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.96Z", + "pid": 52114, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTE0LTEzMjk2NDkxMDUwLjk2MDAwMDAwMA==", + "executable": "/usr/bin/readlink", + "args": [ + "readlink", + "/proc/1/exe" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "readlink", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "readlink /proc/1/exe", + "hash": { + "sha1": "4d89f805a4812374ad372c68d133f6efd09d96f3", + "sha256": "284d7f91dd6e02871afb46f19d2aab2cb7571bacb6c382d6df56d5f6f59d7ae8", + "md5": "5eaeababd7dc6bb9348867431cf32f35" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:33.2808165Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304939, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:33.2808165Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Qdj", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "5FWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTEzLTEzMjk2NDkxMDUwLjk2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.96Z", + "pid": 52113, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTEzLTEzMjk2NDkxMDUwLjk2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.96Z", + "pid": 52114, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTE0LTEzMjk2NDkxMDUwLjk2MDAwMDAwMA==", + "executable": "/usr/bin/readlink", + "args": [ + "readlink", + "/proc/1/exe" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "readlink", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "readlink /proc/1/exe", + "hash": { + "sha1": "4d89f805a4812374ad372c68d133f6efd09d96f3", + "sha256": "284d7f91dd6e02871afb46f19d2aab2cb7571bacb6c382d6df56d5f6f59d7ae8", + "md5": "5eaeababd7dc6bb9348867431cf32f35" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:33.283867Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304941, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:33.283867Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Qdo", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "5VWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTEzLTEzMjk2NDkxMDUwLjk2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.96Z", + "pid": 52113, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTEzLTEzMjk2NDkxMDUwLjk2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-10T20:38:33.2842357Z", + "pid": 52115, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTE1LTEzMjk2Njg4NzEzLjI4NDIzNTcwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:33.2842357Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304943, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:33.2842357Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Qdp", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "5lWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTEzLTEzMjk2NDkxMDUwLjk2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.96Z", + "pid": 52113, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTEzLTEzMjk2NDkxMDUwLjk2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.96Z", + "pid": 52116, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTE2LTEzMjk2NDkxMDUwLjk2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:10.96Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304945, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:10.96Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Qdr", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "51Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTEzLTEzMjk2NDkxMDUwLjk2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.96Z", + "pid": 52113, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTEzLTEzMjk2NDkxMDUwLjk2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-10T20:38:33.2842357Z", + "pid": 52115, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTE1LTEzMjk2Njg4NzEzLjI4NDIzNTcwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:33.2933773Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304947, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:33.2933773Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Qdt", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "6FWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTEzLTEzMjk2NDkxMDUwLjk2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.96Z", + "pid": 52113, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTEzLTEzMjk2NDkxMDUwLjk2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52066 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.96Z", + "pid": 52116, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTE2LTEzMjk2NDkxMDUwLjk2MDAwMDAwMA==", + "executable": "/usr/bin/tr", + "args": [ + "tr", + "[A-Z]", + "[a-z]" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "tr", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "tr [A-Z] [a-z]", + "hash": { + "sha1": "f6fcb376d183ebd588e95e71d7bb7a609549af5d", + "sha256": "bd25374cb2f4c51349c3817afd384bdb5e3598d1146305ba654616a1e19e53f9", + "md5": "92af9c32a56307f6d3187c33096dc4a3" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:33.2936371Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304949, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:33.2936371Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Qdu", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "6VWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTEzLTEzMjk2NDkxMDUwLjk2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.96Z", + "pid": 52113, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTEzLTEzMjk2NDkxMDUwLjk2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.96Z", + "pid": 52116, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTE2LTEzMjk2NDkxMDUwLjk2MDAwMDAwMA==", + "executable": "/usr/bin/tr", + "args": [ + "tr", + "[A-Z]", + "[a-z]" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "tr", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "tr [A-Z] [a-z]", + "hash": { + "sha1": "f6fcb376d183ebd588e95e71d7bb7a609549af5d", + "sha256": "bd25374cb2f4c51349c3817afd384bdb5e3598d1146305ba654616a1e19e53f9", + "md5": "92af9c32a56307f6d3187c33096dc4a3" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:33.2962121Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304951, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:33.2962121Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Qdz", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "6lWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.96Z", + "pid": 52113, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTEzLTEzMjk2NDkxMDUwLjk2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:33.296459Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304953, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:33.296459Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Qe+", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "61Wxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.98Z", + "pid": 52117, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTE3LTEzMjk2NDkxMDUwLjk4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:10.98Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304955, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-08T13:44:10.98Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Qe/", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "7FWxr4ABxtjWu-uc9DOM", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52066 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.98Z", + "pid": 52117, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTE3LTEzMjk2NDkxMDUwLjk4MDAwMDAwMA==", + "executable": "/usr/bin/systemctl", + "args": [ + "systemctl", + "enable", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "systemctl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "systemctl enable cmd", + "hash": { + "sha1": "cea82eefca581ac4029313b72216b470b8ac741e", + "sha256": "443b336e790a96a63a08466e4a35c47382a6380719680ea45726eac96215e622", + "md5": "c4462083c2ee42c852b994a9f8c5ff79" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:33.2975142Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304957, + "ingested": "2022-05-10T20:38:36Z", + "created": "2022-05-10T20:38:33.2975142Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Qe0", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "9VW0r4ABxtjWu-ucATUD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.73Z", + "pid": 52193, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "executable": "/usr/bin/su", + "args": [ + "su" + ], + "name": "su", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "su", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "su" + ], + "args_count": 0, + "executable": "/usr/bin/su" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 130, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:41.4844593Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305979, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:41.4844593Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2UoY", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "9lW0r4ABxtjWu-ucATUD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo su", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "sudo", + "su" + ], + "args_count": 0, + "executable": "/usr/bin/sudo" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.73Z", + "pid": 52193, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "executable": "/usr/bin/su", + "args": [ + "su" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 130, + "name": "su", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "su", + "hash": { + "sha1": "8c4fcb67858dc0862f67b53f956e1d601a714bba", + "sha256": "27009f2285d7e7af458d8b7e752a4ebcfc316efeeed8aa87f535c58d5b7335a9", + "md5": "e90d906f2647087d1ac2aa06de77293e" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:41.5047303Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305981, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:41.5047303Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Uom", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "91W0r4ABxtjWu-ucATUD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 130, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo su", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:41.5137975Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305983, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:41.5137975Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Uoy", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "-FW0r4ABxtjWu-ucATUD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52218, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE4LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52218, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE4LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:20.02Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305985, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:20.02Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Up1", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "-VW0r4ABxtjWu-ucATUD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52218, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE4LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52219, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:20.02Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305987, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:20.02Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Up2", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "-lW0r4ABxtjWu-ucATUD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52218, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE4LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52219, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.362144Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305989, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.362144Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2UpA", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "-1W0r4ABxtjWu-ucATUD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52218, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE4LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub4.c-app.cmd.com:443/install/fea325523fbfbbc31663449c2f7b5a7a84b458592930e3299b7f10cba660651519ca6f63ed7bbb4cc9af33146ecbac57fb1a0acf1519720aa7a24929fb19fcf5/PRJ-G5L2/dGVzdA==" + ], + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "same_as_process": true, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52218, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE4LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub4.c-app.cmd.com:443/install/fea325523fbfbbc31663449c2f7b5a7a84b458592930e3299b7f10cba660651519ca6f63ed7bbb4cc9af33146ecbac57fb1a0acf1519720aa7a24929fb19fcf5/PRJ-G5L2/dGVzdA==" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "curl -s -f https://sub4.c-app.cmd.com:443/install/fea325523fbfbbc31663449c2f7b5a7a84b458592930e3299b7f10cba660651519ca6f63ed7bbb4cc9af33146ecbac57fb1a0acf1519720aa7a24929fb19fcf5/PRJ-G5L2/dGVzdA==", + "hash": { + "sha1": "a11d9aa4d8655b2837e1b74460dbde18e3fe32b2", + "sha256": "a3ec2a59824f42d64f6ed6f3026a3f92a6f6017077853ee29f055efaeb1d5455", + "md5": "fd39da18fe71abe77532a98ed3539e1a" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.3688845Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305991, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.3688845Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Up6", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "_FW0r4ABxtjWu-ucATUD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52218, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE4LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub4.c-app.cmd.com:443/install/fea325523fbfbbc31663449c2f7b5a7a84b458592930e3299b7f10cba660651519ca6f63ed7bbb4cc9af33146ecbac57fb1a0acf1519720aa7a24929fb19fcf5/PRJ-G5L2/dGVzdA==" + ], + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52219, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.3689067Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305993, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.3689067Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Up7", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "_VW0r4ABxtjWu-ucATUD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52218, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE4LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub4.c-app.cmd.com:443/install/fea325523fbfbbc31663449c2f7b5a7a84b458592930e3299b7f10cba660651519ca6f63ed7bbb4cc9af33146ecbac57fb1a0acf1519720aa7a24929fb19fcf5/PRJ-G5L2/dGVzdA==" + ], + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52219, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.4456032Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305995, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.4456032Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2Uqi", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "_lW0r4ABxtjWu-ucATUD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52218, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE4LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub4.c-app.cmd.com:443/install/fea325523fbfbbc31663449c2f7b5a7a84b458592930e3299b7f10cba660651519ca6f63ed7bbb4cc9af33146ecbac57fb1a0acf1519720aa7a24929fb19fcf5/PRJ-G5L2/dGVzdA==" + ], + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52219, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.4460211Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305997, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.4460211Z", + "kind": "event", + "module": "endpoint", + "action": "gid_change", + "id": "MbEL/BDTBn1bDrQw++++2Uqk", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "_1W0r4ABxtjWu-ucATUD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52218, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE4LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub4.c-app.cmd.com:443/install/fea325523fbfbbc31663449c2f7b5a7a84b458592930e3299b7f10cba660651519ca6f63ed7bbb4cc9af33146ecbac57fb1a0acf1519720aa7a24929fb19fcf5/PRJ-G5L2/dGVzdA==" + ], + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52219, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "daemon", + "id": 1 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.4464949Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305999, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.4464949Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2Uqm", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "daemon", + "id": 1 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "AFW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52218, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE4LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub4.c-app.cmd.com:443/install/fea325523fbfbbc31663449c2f7b5a7a84b458592930e3299b7f10cba660651519ca6f63ed7bbb4cc9af33146ecbac57fb1a0acf1519720aa7a24929fb19fcf5/PRJ-G5L2/dGVzdA==" + ], + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52219, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.4489544Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306001, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.4489544Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2Uqp", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "AVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52218, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE4LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub4.c-app.cmd.com:443/install/fea325523fbfbbc31663449c2f7b5a7a84b458592930e3299b7f10cba660651519ca6f63ed7bbb4cc9af33146ecbac57fb1a0acf1519720aa7a24929fb19fcf5/PRJ-G5L2/dGVzdA==" + ], + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52219, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "daemon", + "id": 1 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.4503213Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306003, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.4503213Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2Uqu", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "daemon", + "id": 1 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "AlW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52218, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE4LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub4.c-app.cmd.com:443/install/fea325523fbfbbc31663449c2f7b5a7a84b458592930e3299b7f10cba660651519ca6f63ed7bbb4cc9af33146ecbac57fb1a0acf1519720aa7a24929fb19fcf5/PRJ-G5L2/dGVzdA==" + ], + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52219, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.451782Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306005, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.451782Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2Uqx", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "A1W0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52218, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE4LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub4.c-app.cmd.com:443/install/fea325523fbfbbc31663449c2f7b5a7a84b458592930e3299b7f10cba660651519ca6f63ed7bbb4cc9af33146ecbac57fb1a0acf1519720aa7a24929fb19fcf5/PRJ-G5L2/dGVzdA==" + ], + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52219, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.4543496Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306007, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.4543496Z", + "kind": "event", + "module": "endpoint", + "action": "gid_change", + "id": "MbEL/BDTBn1bDrQw++++2Ur2", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "BFW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52218, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE4LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub4.c-app.cmd.com:443/install/fea325523fbfbbc31663449c2f7b5a7a84b458592930e3299b7f10cba660651519ca6f63ed7bbb4cc9af33146ecbac57fb1a0acf1519720aa7a24929fb19fcf5/PRJ-G5L2/dGVzdA==" + ], + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52219, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.4547697Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306009, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.4547697Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2Ur4", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "BVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52218, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE4LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub4.c-app.cmd.com:443/install/fea325523fbfbbc31663449c2f7b5a7a84b458592930e3299b7f10cba660651519ca6f63ed7bbb4cc9af33146ecbac57fb1a0acf1519720aa7a24929fb19fcf5/PRJ-G5L2/dGVzdA==" + ], + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52219, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.4564314Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306011, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.4564314Z", + "kind": "event", + "module": "endpoint", + "action": "gid_change", + "id": "MbEL/BDTBn1bDrQw++++2Ur6", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "BlW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52218, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE4LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub4.c-app.cmd.com:443/install/fea325523fbfbbc31663449c2f7b5a7a84b458592930e3299b7f10cba660651519ca6f63ed7bbb4cc9af33146ecbac57fb1a0acf1519720aa7a24929fb19fcf5/PRJ-G5L2/dGVzdA==" + ], + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52219, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.4597177Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306013, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.4597177Z", + "kind": "event", + "module": "endpoint", + "action": "gid_change", + "id": "MbEL/BDTBn1bDrQw++++2UrD", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "B1W0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52218, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE4LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub4.c-app.cmd.com:443/install/fea325523fbfbbc31663449c2f7b5a7a84b458592930e3299b7f10cba660651519ca6f63ed7bbb4cc9af33146ecbac57fb1a0acf1519720aa7a24929fb19fcf5/PRJ-G5L2/dGVzdA==" + ], + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52219, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.4609328Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306015, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.4609328Z", + "kind": "event", + "module": "endpoint", + "action": "gid_change", + "id": "MbEL/BDTBn1bDrQw++++2UrH", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "CFW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52218, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE4LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub4.c-app.cmd.com:443/install/fea325523fbfbbc31663449c2f7b5a7a84b458592930e3299b7f10cba660651519ca6f63ed7bbb4cc9af33146ecbac57fb1a0acf1519720aa7a24929fb19fcf5/PRJ-G5L2/dGVzdA==" + ], + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52219, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.4642072Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306017, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.4642072Z", + "kind": "event", + "module": "endpoint", + "action": "gid_change", + "id": "MbEL/BDTBn1bDrQw++++2UrS", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "CVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52218, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE4LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub4.c-app.cmd.com:443/install/fea325523fbfbbc31663449c2f7b5a7a84b458592930e3299b7f10cba660651519ca6f63ed7bbb4cc9af33146ecbac57fb1a0acf1519720aa7a24929fb19fcf5/PRJ-G5L2/dGVzdA==" + ], + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52219, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.4827012Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306019, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.4827012Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2Us5", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "ClW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52218, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE4LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub4.c-app.cmd.com:443/install/fea325523fbfbbc31663449c2f7b5a7a84b458592930e3299b7f10cba660651519ca6f63ed7bbb4cc9af33146ecbac57fb1a0acf1519720aa7a24929fb19fcf5/PRJ-G5L2/dGVzdA==" + ], + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52219, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.4834139Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306021, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.4834139Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2Us8", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "C1W0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52218, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE4LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub4.c-app.cmd.com:443/install/fea325523fbfbbc31663449c2f7b5a7a84b458592930e3299b7f10cba660651519ca6f63ed7bbb4cc9af33146ecbac57fb1a0acf1519720aa7a24929fb19fcf5/PRJ-G5L2/dGVzdA==" + ], + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52219, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.4922216Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306023, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.4922216Z", + "kind": "event", + "module": "endpoint", + "action": "gid_change", + "id": "MbEL/BDTBn1bDrQw++++2UsK", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "DFW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52219, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52218, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE4LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub4.c-app.cmd.com:443/install/fea325523fbfbbc31663449c2f7b5a7a84b458592930e3299b7f10cba660651519ca6f63ed7bbb4cc9af33146ecbac57fb1a0acf1519720aa7a24929fb19fcf5/PRJ-G5L2/dGVzdA==" + ], + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:20.19Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306025, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:20.19Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Usj", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "DVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52219, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52218, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE4LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub4.c-app.cmd.com:443/install/fea325523fbfbbc31663449c2f7b5a7a84b458592930e3299b7f10cba660651519ca6f63ed7bbb4cc9af33146ecbac57fb1a0acf1519720aa7a24929fb19fcf5/PRJ-G5L2/dGVzdA==" + ], + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.547303Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306027, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.547303Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2Ust", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "DlW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52219, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52218, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE4LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub4.c-app.cmd.com:443/install/fea325523fbfbbc31663449c2f7b5a7a84b458592930e3299b7f10cba660651519ca6f63ed7bbb4cc9af33146ecbac57fb1a0acf1519720aa7a24929fb19fcf5/PRJ-G5L2/dGVzdA==" + ], + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "sudo", + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/sudo" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.5583183Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306029, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.5583183Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Usu", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "EVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52218, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE4LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub4.c-app.cmd.com:443/install/fea325523fbfbbc31663449c2f7b5a7a84b458592930e3299b7f10cba660651519ca6f63ed7bbb4cc9af33146ecbac57fb1a0acf1519720aa7a24929fb19fcf5/PRJ-G5L2/dGVzdA==" + ], + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52218, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE4LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-f", + "https://sub4.c-app.cmd.com:443/install/fea325523fbfbbc31663449c2f7b5a7a84b458592930e3299b7f10cba660651519ca6f63ed7bbb4cc9af33146ecbac57fb1a0acf1519720aa7a24929fb19fcf5/PRJ-G5L2/dGVzdA==" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "curl -s -f https://sub4.c-app.cmd.com:443/install/fea325523fbfbbc31663449c2f7b5a7a84b458592930e3299b7f10cba660651519ca6f63ed7bbb4cc9af33146ecbac57fb1a0acf1519720aa7a24929fb19fcf5/PRJ-G5L2/dGVzdA==", + "hash": { + "sha1": "a11d9aa4d8655b2837e1b74460dbde18e3fe32b2", + "sha256": "a3ec2a59824f42d64f6ed6f3026a3f92a6f6017077853ee29f055efaeb1d5455", + "md5": "fd39da18fe71abe77532a98ed3539e1a" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.6393576Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306035, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.6393576Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2UtT", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "ElW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.34Z", + "pid": 52222, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIyLTEzMjk2NDkxMTgwLjM0MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:20.34Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306037, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:20.34Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Utw", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "E1W0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52218 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.34Z", + "pid": 52222, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIyLTEzMjk2NDkxMTgwLjM0MDAwMDAwMA==", + "executable": "/usr/bin/uname", + "args": [ + "uname", + "-s" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "uname", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "uname -s", + "hash": { + "sha1": "1eaf15b8b801cce1cbd3a5c4c9bbdffdd59599e0", + "sha256": "4c376e391461cc13fe4d66f0060197e2ee920ffce8a6334d7a6b2ebdcc6cd31f", + "md5": "ab2c3332885647313dbc160a329fd0f5" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.6593792Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306039, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.6593792Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Uty", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "FFW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.34Z", + "pid": 52222, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIyLTEzMjk2NDkxMTgwLjM0MDAwMDAwMA==", + "executable": "/usr/bin/uname", + "args": [ + "uname", + "-s" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "uname", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "uname -s", + "hash": { + "sha1": "1eaf15b8b801cce1cbd3a5c4c9bbdffdd59599e0", + "sha256": "4c376e391461cc13fe4d66f0060197e2ee920ffce8a6334d7a6b2ebdcc6cd31f", + "md5": "ab2c3332885647313dbc160a329fd0f5" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.6618563Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306041, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.6618563Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Uu1", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "FVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.34Z", + "pid": 52223, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIzLTEzMjk2NDkxMTgwLjM0MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:20.34Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306043, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:20.34Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Uu2", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "FlW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52218 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.34Z", + "pid": 52223, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIzLTEzMjk2NDkxMTgwLjM0MDAwMDAwMA==", + "executable": "/usr/bin/id", + "args": [ + "id", + "-u" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "id", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "id -u", + "hash": { + "sha1": "02339fec9524a489db7f552ebd82a6130266e0db", + "sha256": "f0c0a70a1bd13ee3af1a82d85af8230e88ba27763caca91db44557c61ceaabb0", + "md5": "8aa4dbf8064d18cf9117cd9673f2d5ed" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.663293Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306045, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.663293Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Uu4", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "F1W0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.34Z", + "pid": 52223, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIzLTEzMjk2NDkxMTgwLjM0MDAwMDAwMA==", + "executable": "/usr/bin/id", + "args": [ + "id", + "-u" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "id", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "id -u", + "hash": { + "sha1": "02339fec9524a489db7f552ebd82a6130266e0db", + "sha256": "f0c0a70a1bd13ee3af1a82d85af8230e88ba27763caca91db44557c61ceaabb0", + "md5": "8aa4dbf8064d18cf9117cd9673f2d5ed" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.6666456Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306047, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.6666456Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2UuC", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "GFW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.34Z", + "pid": 52224, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI0LTEzMjk2NDkxMTgwLjM0MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:20.34Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306049, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:20.34Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UuD", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "GVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52218 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.34Z", + "pid": 52224, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI0LTEzMjk2NDkxMTgwLjM0MDAwMDAwMA==", + "executable": "/usr/bin/uname", + "args": [ + "uname", + "-r" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "uname", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "uname -r", + "hash": { + "sha1": "1eaf15b8b801cce1cbd3a5c4c9bbdffdd59599e0", + "sha256": "4c376e391461cc13fe4d66f0060197e2ee920ffce8a6334d7a6b2ebdcc6cd31f", + "md5": "ab2c3332885647313dbc160a329fd0f5" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.6685764Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306051, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.6685764Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2UuF", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "GlW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.34Z", + "pid": 52224, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI0LTEzMjk2NDkxMTgwLjM0MDAwMDAwMA==", + "executable": "/usr/bin/uname", + "args": [ + "uname", + "-r" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "uname", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "uname -r", + "hash": { + "sha1": "1eaf15b8b801cce1cbd3a5c4c9bbdffdd59599e0", + "sha256": "4c376e391461cc13fe4d66f0060197e2ee920ffce8a6334d7a6b2ebdcc6cd31f", + "md5": "ab2c3332885647313dbc160a329fd0f5" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.6705537Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306053, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.6705537Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2UuK", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "G1W0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.36Z", + "pid": 52225, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:20.36Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306055, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:20.36Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UuR", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "HFW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.36Z", + "pid": 52225, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.36Z", + "pid": 52226, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:20.36Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306057, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:20.36Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UuT", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "HVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.36Z", + "pid": 52226, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.36Z", + "pid": 52227, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI3LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:20.36Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306059, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:20.36Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UuV", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "HlW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI3LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.36Z", + "pid": 52227, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI3LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-10T20:40:42.6822515Z", + "pid": 52228, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI4LTEzMjk2Njg4ODQyLjY4MjI1MTUwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.6822515Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306061, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.6822515Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UuX", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "H1W0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI3LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.36Z", + "pid": 52227, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI3LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.36Z", + "pid": 52229, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI5LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:20.36Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306063, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:20.36Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UuY", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "IFW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI3LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.36Z", + "pid": 52227, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI3LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-10T20:40:42.6822515Z", + "pid": 52228, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI4LTEzMjk2Njg4ODQyLjY4MjI1MTUwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.6888346Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306065, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.6888346Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Uuc", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "IVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI3LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.36Z", + "pid": 52227, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI3LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52218 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.36Z", + "pid": 52229, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI5LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "executable": "/usr/bin/tr", + "args": [ + "tr", + "A-Z", + "a-z" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "tr", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "tr A-Z a-z", + "hash": { + "sha1": "f6fcb376d183ebd588e95e71d7bb7a609549af5d", + "sha256": "bd25374cb2f4c51349c3817afd384bdb5e3598d1146305ba654616a1e19e53f9", + "md5": "92af9c32a56307f6d3187c33096dc4a3" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.689451Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306067, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.689451Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Uub", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "IlW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI3LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.36Z", + "pid": 52227, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI3LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.36Z", + "pid": 52229, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI5LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "executable": "/usr/bin/tr", + "args": [ + "tr", + "A-Z", + "a-z" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "tr", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "tr A-Z a-z", + "hash": { + "sha1": "f6fcb376d183ebd588e95e71d7bb7a609549af5d", + "sha256": "bd25374cb2f4c51349c3817afd384bdb5e3598d1146305ba654616a1e19e53f9", + "md5": "92af9c32a56307f6d3187c33096dc4a3" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.6914489Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306069, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.6914489Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Uuh", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "I1W0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.36Z", + "pid": 52226, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.36Z", + "pid": 52227, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI3LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.6920784Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306071, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.6920784Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Uui", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "JFW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.36Z", + "pid": 52226, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.37Z", + "pid": 52230, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMwLTEzMjk2NDkxMTgwLjM3MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:20.37Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306073, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:20.37Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Uuj", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "JVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMwLTEzMjk2NDkxMTgwLjM3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.37Z", + "pid": 52230, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMwLTEzMjk2NDkxMTgwLjM3MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-10T20:40:42.6961356Z", + "pid": 52231, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMxLTEzMjk2Njg4ODQyLjY5NjEzNTYwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.6961356Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306075, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.6961356Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Uul", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "JlW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMwLTEzMjk2NDkxMTgwLjM3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.37Z", + "pid": 52230, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMwLTEzMjk2NDkxMTgwLjM3MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.37Z", + "pid": 52232, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMyLTEzMjk2NDkxMTgwLjM3MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:20.37Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306077, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:20.37Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Uun", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "J1W0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMwLTEzMjk2NDkxMTgwLjM3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.37Z", + "pid": 52230, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMwLTEzMjk2NDkxMTgwLjM3MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-10T20:40:42.6961356Z", + "pid": 52231, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMxLTEzMjk2Njg4ODQyLjY5NjEzNTYwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.6983705Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306079, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.6983705Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Uup", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "KFW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMwLTEzMjk2NDkxMTgwLjM3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.37Z", + "pid": 52230, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMwLTEzMjk2NDkxMTgwLjM3MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52218 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.37Z", + "pid": 52232, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMyLTEzMjk2NDkxMTgwLjM3MDAwMDAwMA==", + "executable": "/usr/bin/tr", + "args": [ + "tr", + "A-Z", + "a-z" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "tr", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "tr A-Z a-z", + "hash": { + "sha1": "f6fcb376d183ebd588e95e71d7bb7a609549af5d", + "sha256": "bd25374cb2f4c51349c3817afd384bdb5e3598d1146305ba654616a1e19e53f9", + "md5": "92af9c32a56307f6d3187c33096dc4a3" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.6992218Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306081, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.6992218Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Uuq", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "KVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMwLTEzMjk2NDkxMTgwLjM3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.37Z", + "pid": 52230, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMwLTEzMjk2NDkxMTgwLjM3MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.37Z", + "pid": 52232, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMyLTEzMjk2NDkxMTgwLjM3MDAwMDAwMA==", + "executable": "/usr/bin/tr", + "args": [ + "tr", + "A-Z", + "a-z" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "tr", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "tr A-Z a-z", + "hash": { + "sha1": "f6fcb376d183ebd588e95e71d7bb7a609549af5d", + "sha256": "bd25374cb2f4c51349c3817afd384bdb5e3598d1146305ba654616a1e19e53f9", + "md5": "92af9c32a56307f6d3187c33096dc4a3" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.7003632Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306083, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.7003632Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Uuv", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "KlW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.36Z", + "pid": 52226, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.37Z", + "pid": 52230, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMwLTEzMjk2NDkxMTgwLjM3MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.7008805Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306085, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.7008805Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Uuw", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "K1W0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.36Z", + "pid": 52226, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.38Z", + "pid": 52233, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMzLTEzMjk2NDkxMTgwLjM4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:20.38Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306087, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:20.38Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Uux", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "LFW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMzLTEzMjk2NDkxMTgwLjM4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.38Z", + "pid": 52233, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMzLTEzMjk2NDkxMTgwLjM4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.38Z", + "pid": 52234, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjM0LTEzMjk2NDkxMTgwLjM4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:20.38Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306089, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:20.38Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Uuz", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "LVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMzLTEzMjk2NDkxMTgwLjM4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.38Z", + "pid": 52233, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMzLTEzMjk2NDkxMTgwLjM4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.38Z", + "pid": 52235, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjM1LTEzMjk2NDkxMTgwLjM4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:20.38Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306091, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:20.38Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Uv+", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "LlW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMzLTEzMjk2NDkxMTgwLjM4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.38Z", + "pid": 52233, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMzLTEzMjk2NDkxMTgwLjM4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.38Z", + "pid": 52234, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjM0LTEzMjk2NDkxMTgwLjM4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.7109407Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306093, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.7109407Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Uv1", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "L1W0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMzLTEzMjk2NDkxMTgwLjM4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.38Z", + "pid": 52233, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMzLTEzMjk2NDkxMTgwLjM4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52218 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.38Z", + "pid": 52235, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjM1LTEzMjk2NDkxMTgwLjM4MDAwMDAwMA==", + "executable": "/usr/bin/tr", + "args": [ + "tr", + "A-Z", + "a-z" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "tr", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "tr A-Z a-z", + "hash": { + "sha1": "f6fcb376d183ebd588e95e71d7bb7a609549af5d", + "sha256": "bd25374cb2f4c51349c3817afd384bdb5e3598d1146305ba654616a1e19e53f9", + "md5": "92af9c32a56307f6d3187c33096dc4a3" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.7116034Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306095, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.7116034Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Uv2", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "MFW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMzLTEzMjk2NDkxMTgwLjM4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.38Z", + "pid": 52233, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMzLTEzMjk2NDkxMTgwLjM4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.38Z", + "pid": 52235, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjM1LTEzMjk2NDkxMTgwLjM4MDAwMDAwMA==", + "executable": "/usr/bin/tr", + "args": [ + "tr", + "A-Z", + "a-z" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "tr", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "tr A-Z a-z", + "hash": { + "sha1": "f6fcb376d183ebd588e95e71d7bb7a609549af5d", + "sha256": "bd25374cb2f4c51349c3817afd384bdb5e3598d1146305ba654616a1e19e53f9", + "md5": "92af9c32a56307f6d3187c33096dc4a3" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.713786Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306097, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.713786Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Uv7", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "MVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.36Z", + "pid": 52226, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.38Z", + "pid": 52233, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjMzLTEzMjk2NDkxMTgwLjM4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.7143127Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306099, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.7143127Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Uv8", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "MlW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.36Z", + "pid": 52225, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.36Z", + "pid": 52226, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI2LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.7147818Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306101, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.7147818Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Uv9", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "M1W0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.36Z", + "pid": 52225, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjI1LTEzMjk2NDkxMTgwLjM2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.7157162Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306103, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.7157162Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2UvA", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "NFW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.39Z", + "pid": 52236, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjM2LTEzMjk2NDkxMTgwLjM5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:20.39Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306105, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:20.39Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UvB", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "NVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjM2LTEzMjk2NDkxMTgwLjM5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.39Z", + "pid": 52236, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjM2LTEzMjk2NDkxMTgwLjM5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.39Z", + "pid": 52237, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjM3LTEzMjk2NDkxMTgwLjM5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:20.39Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306107, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:20.39Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UvD", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "NlW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjM2LTEzMjk2NDkxMTgwLjM5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.39Z", + "pid": 52236, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjM2LTEzMjk2NDkxMTgwLjM5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52218 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.39Z", + "pid": 52237, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjM3LTEzMjk2NDkxMTgwLjM5MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--print-architecture" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg --print-architecture", + "hash": { + "sha1": "923c23ab063b3102e62977a6cde5cfcf3cf3f5a9", + "sha256": "fc268efd3eeb984a8a82f8eff68583ae0ffe33060d2d59ff07b1b24d5791d559", + "md5": "05979fd688347b3c5af19862d71d801a" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.7171315Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306109, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.7171315Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2UvE", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "N1W0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjM2LTEzMjk2NDkxMTgwLjM5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.39Z", + "pid": 52236, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjM2LTEzMjk2NDkxMTgwLjM5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.39Z", + "pid": 52237, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjM3LTEzMjk2NDkxMTgwLjM5MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--print-architecture" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg --print-architecture", + "hash": { + "sha1": "923c23ab063b3102e62977a6cde5cfcf3cf3f5a9", + "sha256": "fc268efd3eeb984a8a82f8eff68583ae0ffe33060d2d59ff07b1b24d5791d559", + "md5": "05979fd688347b3c5af19862d71d801a" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.7294651Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306111, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.7294651Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Uve", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "OFW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.39Z", + "pid": 52236, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjM2LTEzMjk2NDkxMTgwLjM5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.7299431Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306113, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.7299431Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Uvf", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "OVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.42Z", + "pid": 52238, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjM4LTEzMjk2NDkxMTgwLjQyMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:20.42Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306115, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:20.42Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Uvm", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "OlW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52218 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.42Z", + "pid": 52238, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjM4LTEzMjk2NDkxMTgwLjQyMDAwMDAwMA==", + "executable": "/usr/bin/mkdir", + "args": [ + "mkdir", + "-p", + "/etc/cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "mkdir", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "mkdir -p /etc/cmd", + "hash": { + "sha1": "ee8e9063a9c3a105690de4bc2a796543c40dd9c8", + "sha256": "7c2b4db62a68554a8d889654117bf3841775397295de7402e310d293b15bc413", + "md5": "682f61cbbbd7a2a3820f79616eac9602" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.7464305Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306117, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.7464305Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Uvn", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "O1W0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.42Z", + "pid": 52238, + "working_directory": "/etc", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjM4LTEzMjk2NDkxMTgwLjQyMDAwMDAwMA==", + "executable": "/usr/bin/mkdir", + "args": [ + "mkdir", + "-p", + "/etc/cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "mkdir", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "mkdir -p /etc/cmd", + "hash": { + "sha1": "ee8e9063a9c3a105690de4bc2a796543c40dd9c8", + "sha256": "7c2b4db62a68554a8d889654117bf3841775397295de7402e310d293b15bc413", + "md5": "682f61cbbbd7a2a3820f79616eac9602" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.7506438Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306119, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.7506438Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Uvw", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "PFW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.43Z", + "pid": 52239, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjM5LTEzMjk2NDkxMTgwLjQzMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:20.43Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306121, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:20.43Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Uw0", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "PVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52218 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.43Z", + "pid": 52239, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjM5LTEzMjk2NDkxMTgwLjQzMDAwMDAwMA==", + "executable": "/usr/bin/cat", + "args": [ + "cat" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "cat", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "cat", + "hash": { + "sha1": "eecdba8e7def6c111a084ae6164ffe1697bf4397", + "sha256": "df954abca766aceddd79dd20429e4f222019018667446626d3a641d3c47c50fc", + "md5": "dec1edc9a903636853ed9097faf5bb33" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.756846Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306123, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.756846Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Uw4", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "PlW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.43Z", + "pid": 52239, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjM5LTEzMjk2NDkxMTgwLjQzMDAwMDAwMA==", + "executable": "/usr/bin/cat", + "args": [ + "cat" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "cat", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "cat", + "hash": { + "sha1": "eecdba8e7def6c111a084ae6164ffe1697bf4397", + "sha256": "df954abca766aceddd79dd20429e4f222019018667446626d3a641d3c47c50fc", + "md5": "dec1edc9a903636853ed9097faf5bb33" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.7602468Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306125, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.7602468Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Uw9", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "P1W0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.44Z", + "pid": 52240, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQwLTEzMjk2NDkxMTgwLjQ0MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:20.44Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306127, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:20.44Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UwI", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "QFW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52218 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.44Z", + "pid": 52240, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQwLTEzMjk2NDkxMTgwLjQ0MDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "d", + "-exec", + "chmod", + "0700", + "{}", + ";" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 9, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type d -exec chmod 0700 {} ;", + "hash": { + "sha1": "c60dfade56e7bda111d764a3aa48017cc8105eeb", + "sha256": "2c6049dde565c4f71a8b2b8ba59d93abee50b763ce4fe0d9d7b63a20f3f5a422", + "md5": "7ca65add76f8b5bcbd7fccd558f65999" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.7665711Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306129, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.7665711Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2UwJ", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "QVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQwLTEzMjk2NDkxMTgwLjQ0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.44Z", + "pid": 52240, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQwLTEzMjk2NDkxMTgwLjQ0MDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "d", + "-exec", + "chmod", + "0700", + "{}", + ";" + ], + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 9, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type d -exec chmod 0700 {} ;", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.45Z", + "pid": 52241, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQxLTEzMjk2NDkxMTgwLjQ1MDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "d", + "-exec", + "chmod", + "0700", + "{}", + ";" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type d -exec chmod 0700 {} ;", + "hash": { + "sha1": "c60dfade56e7bda111d764a3aa48017cc8105eeb", + "sha256": "2c6049dde565c4f71a8b2b8ba59d93abee50b763ce4fe0d9d7b63a20f3f5a422", + "md5": "7ca65add76f8b5bcbd7fccd558f65999" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:20.45Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306131, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:20.45Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UwS", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "QlW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQwLTEzMjk2NDkxMTgwLjQ0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.44Z", + "pid": 52240, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQwLTEzMjk2NDkxMTgwLjQ0MDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "d", + "-exec", + "chmod", + "0700", + "{}", + ";" + ], + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 9, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type d -exec chmod 0700 {} ;", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52218 + }, + "previous": [ + { + "args": [ + "find", + "/etc/cmd", + "-type", + "d", + "-exec", + "chmod", + "0700", + "{}", + ";" + ], + "args_count": 0, + "executable": "/usr/bin/find" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.45Z", + "pid": 52241, + "working_directory": "/proc/filesystems", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQxLTEzMjk2NDkxMTgwLjQ1MDAwMDAwMA==", + "executable": "/usr/bin/chmod", + "args": [ + "chmod", + "0700", + "/etc/cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "chmod", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "chmod 0700 /etc/cmd", + "hash": { + "sha1": "f44efcf93d286c10450b4bc44053508620c372fd", + "sha256": "a3e141a69b71b7a6b55dee7ff73d0ee8755e90abab427cd6854341221a3b4748", + "md5": "655ee67724359cc2d1d9c523ff284c2b" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.7745525Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306133, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.7745525Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2UwX", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "Q1W0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQwLTEzMjk2NDkxMTgwLjQ0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.44Z", + "pid": 52240, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQwLTEzMjk2NDkxMTgwLjQ0MDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "d", + "-exec", + "chmod", + "0700", + "{}", + ";" + ], + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 9, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type d -exec chmod 0700 {} ;", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "find", + "/etc/cmd", + "-type", + "d", + "-exec", + "chmod", + "0700", + "{}", + ";" + ], + "args_count": 0, + "executable": "/usr/bin/find" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.45Z", + "pid": 52241, + "working_directory": "/proc/filesystems", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQxLTEzMjk2NDkxMTgwLjQ1MDAwMDAwMA==", + "executable": "/usr/bin/chmod", + "args": [ + "chmod", + "0700", + "/etc/cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "chmod", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "chmod 0700 /etc/cmd", + "hash": { + "sha1": "f44efcf93d286c10450b4bc44053508620c372fd", + "sha256": "a3e141a69b71b7a6b55dee7ff73d0ee8755e90abab427cd6854341221a3b4748", + "md5": "655ee67724359cc2d1d9c523ff284c2b" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.776821Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306135, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.776821Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Uwc", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "RFW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.44Z", + "pid": 52240, + "working_directory": "/proc/filesystems", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQwLTEzMjk2NDkxMTgwLjQ0MDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "d", + "-exec", + "chmod", + "0700", + "{}", + ";" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type d -exec chmod 0700 {} ;", + "hash": { + "sha1": "c60dfade56e7bda111d764a3aa48017cc8105eeb", + "sha256": "2c6049dde565c4f71a8b2b8ba59d93abee50b763ce4fe0d9d7b63a20f3f5a422", + "md5": "7ca65add76f8b5bcbd7fccd558f65999" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.7798621Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306137, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.7798621Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Uwh", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "RVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.46Z", + "pid": 52242, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQyLTEzMjk2NDkxMTgwLjQ2MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:20.46Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306139, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:20.46Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Uwi", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "RlW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52218 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.46Z", + "pid": 52242, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQyLTEzMjk2NDkxMTgwLjQ2MDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "f", + "-exec", + "chmod", + "0600", + "{}", + ";" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 9, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type f -exec chmod 0600 {} ;", + "hash": { + "sha1": "c60dfade56e7bda111d764a3aa48017cc8105eeb", + "sha256": "2c6049dde565c4f71a8b2b8ba59d93abee50b763ce4fe0d9d7b63a20f3f5a422", + "md5": "7ca65add76f8b5bcbd7fccd558f65999" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.7807509Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306141, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.7807509Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Uwj", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "R1W0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQyLTEzMjk2NDkxMTgwLjQ2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.46Z", + "pid": 52242, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQyLTEzMjk2NDkxMTgwLjQ2MDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "f", + "-exec", + "chmod", + "0600", + "{}", + ";" + ], + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 9, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type f -exec chmod 0600 {} ;", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.46Z", + "pid": 52243, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQzLTEzMjk2NDkxMTgwLjQ2MDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "f", + "-exec", + "chmod", + "0600", + "{}", + ";" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type f -exec chmod 0600 {} ;", + "hash": { + "sha1": "c60dfade56e7bda111d764a3aa48017cc8105eeb", + "sha256": "2c6049dde565c4f71a8b2b8ba59d93abee50b763ce4fe0d9d7b63a20f3f5a422", + "md5": "7ca65add76f8b5bcbd7fccd558f65999" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:20.46Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306143, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:20.46Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Uwv", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "SFW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQyLTEzMjk2NDkxMTgwLjQ2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.46Z", + "pid": 52242, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQyLTEzMjk2NDkxMTgwLjQ2MDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "f", + "-exec", + "chmod", + "0600", + "{}", + ";" + ], + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 9, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type f -exec chmod 0600 {} ;", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52218 + }, + "previous": [ + { + "args": [ + "find", + "/etc/cmd", + "-type", + "f", + "-exec", + "chmod", + "0600", + "{}", + ";" + ], + "args_count": 0, + "executable": "/usr/bin/find" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.46Z", + "pid": 52243, + "working_directory": "/proc/filesystems", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQzLTEzMjk2NDkxMTgwLjQ2MDAwMDAwMA==", + "executable": "/usr/bin/chmod", + "args": [ + "chmod", + "0600", + "/etc/cmd/config.ini" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "chmod", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "chmod 0600 /etc/cmd/config.ini", + "hash": { + "sha1": "f44efcf93d286c10450b4bc44053508620c372fd", + "sha256": "a3e141a69b71b7a6b55dee7ff73d0ee8755e90abab427cd6854341221a3b4748", + "md5": "655ee67724359cc2d1d9c523ff284c2b" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.7888263Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306145, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.7888263Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Ux+", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "SVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQyLTEzMjk2NDkxMTgwLjQ2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.46Z", + "pid": 52242, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQyLTEzMjk2NDkxMTgwLjQ2MDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "f", + "-exec", + "chmod", + "0600", + "{}", + ";" + ], + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 9, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type f -exec chmod 0600 {} ;", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "find", + "/etc/cmd", + "-type", + "f", + "-exec", + "chmod", + "0600", + "{}", + ";" + ], + "args_count": 0, + "executable": "/usr/bin/find" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.46Z", + "pid": 52243, + "working_directory": "/proc/filesystems", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQzLTEzMjk2NDkxMTgwLjQ2MDAwMDAwMA==", + "executable": "/usr/bin/chmod", + "args": [ + "chmod", + "0600", + "/etc/cmd/config.ini" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "chmod", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "chmod 0600 /etc/cmd/config.ini", + "hash": { + "sha1": "f44efcf93d286c10450b4bc44053508620c372fd", + "sha256": "a3e141a69b71b7a6b55dee7ff73d0ee8755e90abab427cd6854341221a3b4748", + "md5": "655ee67724359cc2d1d9c523ff284c2b" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.7907489Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306147, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.7907489Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Ux3", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "SlW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQyLTEzMjk2NDkxMTgwLjQ2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.46Z", + "pid": 52242, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQyLTEzMjk2NDkxMTgwLjQ2MDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "f", + "-exec", + "chmod", + "0600", + "{}", + ";" + ], + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 9, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type f -exec chmod 0600 {} ;", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.47Z", + "pid": 52244, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ0LTEzMjk2NDkxMTgwLjQ3MDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "f", + "-exec", + "chmod", + "0600", + "{}", + ";" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type f -exec chmod 0600 {} ;", + "hash": { + "sha1": "c60dfade56e7bda111d764a3aa48017cc8105eeb", + "sha256": "2c6049dde565c4f71a8b2b8ba59d93abee50b763ce4fe0d9d7b63a20f3f5a422", + "md5": "7ca65add76f8b5bcbd7fccd558f65999" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:20.47Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306149, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:20.47Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Ux4", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "S1W0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQyLTEzMjk2NDkxMTgwLjQ2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.46Z", + "pid": 52242, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQyLTEzMjk2NDkxMTgwLjQ2MDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "f", + "-exec", + "chmod", + "0600", + "{}", + ";" + ], + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 9, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type f -exec chmod 0600 {} ;", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52218 + }, + "previous": [ + { + "args": [ + "find", + "/etc/cmd", + "-type", + "f", + "-exec", + "chmod", + "0600", + "{}", + ";" + ], + "args_count": 0, + "executable": "/usr/bin/find" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.47Z", + "pid": 52244, + "working_directory": "/proc/filesystems", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ0LTEzMjk2NDkxMTgwLjQ3MDAwMDAwMA==", + "executable": "/usr/bin/chmod", + "args": [ + "chmod", + "0600", + "/etc/cmd/cmd.prj" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "chmod", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "chmod 0600 /etc/cmd/cmd.prj", + "hash": { + "sha1": "f44efcf93d286c10450b4bc44053508620c372fd", + "sha256": "a3e141a69b71b7a6b55dee7ff73d0ee8755e90abab427cd6854341221a3b4748", + "md5": "655ee67724359cc2d1d9c523ff284c2b" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.7934006Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306151, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.7934006Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Ux9", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "TFW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQyLTEzMjk2NDkxMTgwLjQ2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.46Z", + "pid": 52242, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQyLTEzMjk2NDkxMTgwLjQ2MDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "f", + "-exec", + "chmod", + "0600", + "{}", + ";" + ], + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 9, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type f -exec chmod 0600 {} ;", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "find", + "/etc/cmd", + "-type", + "f", + "-exec", + "chmod", + "0600", + "{}", + ";" + ], + "args_count": 0, + "executable": "/usr/bin/find" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.47Z", + "pid": 52244, + "working_directory": "/proc/filesystems", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ0LTEzMjk2NDkxMTgwLjQ3MDAwMDAwMA==", + "executable": "/usr/bin/chmod", + "args": [ + "chmod", + "0600", + "/etc/cmd/cmd.prj" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "chmod", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "chmod 0600 /etc/cmd/cmd.prj", + "hash": { + "sha1": "f44efcf93d286c10450b4bc44053508620c372fd", + "sha256": "a3e141a69b71b7a6b55dee7ff73d0ee8755e90abab427cd6854341221a3b4748", + "md5": "655ee67724359cc2d1d9c523ff284c2b" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.7965979Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306153, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.7965979Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2UxE", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "TVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQyLTEzMjk2NDkxMTgwLjQ2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.46Z", + "pid": 52242, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQyLTEzMjk2NDkxMTgwLjQ2MDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "f", + "-exec", + "chmod", + "0600", + "{}", + ";" + ], + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 9, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type f -exec chmod 0600 {} ;", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.47Z", + "pid": 52245, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ1LTEzMjk2NDkxMTgwLjQ3MDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "f", + "-exec", + "chmod", + "0600", + "{}", + ";" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type f -exec chmod 0600 {} ;", + "hash": { + "sha1": "c60dfade56e7bda111d764a3aa48017cc8105eeb", + "sha256": "2c6049dde565c4f71a8b2b8ba59d93abee50b763ce4fe0d9d7b63a20f3f5a422", + "md5": "7ca65add76f8b5bcbd7fccd558f65999" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:20.47Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306155, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:20.47Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UxF", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "TlW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQyLTEzMjk2NDkxMTgwLjQ2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.46Z", + "pid": 52242, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQyLTEzMjk2NDkxMTgwLjQ2MDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "f", + "-exec", + "chmod", + "0600", + "{}", + ";" + ], + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 9, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type f -exec chmod 0600 {} ;", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52218 + }, + "previous": [ + { + "args": [ + "find", + "/etc/cmd", + "-type", + "f", + "-exec", + "chmod", + "0600", + "{}", + ";" + ], + "args_count": 0, + "executable": "/usr/bin/find" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.47Z", + "pid": 52245, + "working_directory": "/proc/filesystems", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ1LTEzMjk2NDkxMTgwLjQ3MDAwMDAwMA==", + "executable": "/usr/bin/chmod", + "args": [ + "chmod", + "0600", + "/etc/cmd/cmd.token" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "chmod", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "chmod 0600 /etc/cmd/cmd.token", + "hash": { + "sha1": "f44efcf93d286c10450b4bc44053508620c372fd", + "sha256": "a3e141a69b71b7a6b55dee7ff73d0ee8755e90abab427cd6854341221a3b4748", + "md5": "655ee67724359cc2d1d9c523ff284c2b" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.7981861Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306157, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.7981861Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2UxK", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "T1W0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQyLTEzMjk2NDkxMTgwLjQ2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.46Z", + "pid": 52242, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQyLTEzMjk2NDkxMTgwLjQ2MDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "f", + "-exec", + "chmod", + "0600", + "{}", + ";" + ], + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 9, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type f -exec chmod 0600 {} ;", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "find", + "/etc/cmd", + "-type", + "f", + "-exec", + "chmod", + "0600", + "{}", + ";" + ], + "args_count": 0, + "executable": "/usr/bin/find" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.47Z", + "pid": 52245, + "working_directory": "/proc/filesystems", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ1LTEzMjk2NDkxMTgwLjQ3MDAwMDAwMA==", + "executable": "/usr/bin/chmod", + "args": [ + "chmod", + "0600", + "/etc/cmd/cmd.token" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "chmod", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "chmod 0600 /etc/cmd/cmd.token", + "hash": { + "sha1": "f44efcf93d286c10450b4bc44053508620c372fd", + "sha256": "a3e141a69b71b7a6b55dee7ff73d0ee8755e90abab427cd6854341221a3b4748", + "md5": "655ee67724359cc2d1d9c523ff284c2b" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.8009386Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306159, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.8009386Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2UxP", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "UFW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.46Z", + "pid": 52242, + "working_directory": "/proc/filesystems", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQyLTEzMjk2NDkxMTgwLjQ2MDAwMDAwMA==", + "executable": "/usr/bin/find", + "args": [ + "find", + "/etc/cmd", + "-type", + "f", + "-exec", + "chmod", + "0600", + "{}", + ";" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "find", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "find /etc/cmd -type f -exec chmod 0600 {} ;", + "hash": { + "sha1": "c60dfade56e7bda111d764a3aa48017cc8105eeb", + "sha256": "2c6049dde565c4f71a8b2b8ba59d93abee50b763ce4fe0d9d7b63a20f3f5a422", + "md5": "7ca65add76f8b5bcbd7fccd558f65999" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.8012932Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306161, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.8012932Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2UxR", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "UVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.48Z", + "pid": 52246, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ2LTEzMjk2NDkxMTgwLjQ4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:20.48Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306163, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:20.48Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UxV", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "UlW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52218 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.48Z", + "pid": 52246, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ2LTEzMjk2NDkxMTgwLjQ4MDAwMDAwMA==", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-w", + "%{http_code}", + "-H", + "project-key: fea325523fbfbbc31663449c2f7b5a7a84b458592930e3299b7f10cba660651519ca6f63ed7bbb4cc9af33146ecbac57fb1a0acf1519720aa7a24929fb19fcf5", + "https://sub4.c-app.cmd.com/download/cmd?architecture=amd64&format=deb", + "-o", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 9, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "curl -s -w %{http_code} -H project-key: fea325523fbfbbc31663449c2f7b5a7a84b458592930e3299b7f10cba660651519ca6f63ed7bbb4cc9af33146ecbac57fb1a0acf1519720aa7a24929fb19fcf5 https://sub4.c-app.cmd.com/download/cmd?architecture=amd64&format=deb -o /tmp/amd64.deb", + "hash": { + "sha1": "a11d9aa4d8655b2837e1b74460dbde18e3fe32b2", + "sha256": "a3ec2a59824f42d64f6ed6f3026a3f92a6f6017077853ee29f055efaeb1d5455", + "md5": "fd39da18fe71abe77532a98ed3539e1a" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:42.8078946Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306165, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:42.8078946Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2UxX", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "VlW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.48Z", + "pid": 52246, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ2LTEzMjk2NDkxMTgwLjQ4MDAwMDAwMA==", + "executable": "/usr/bin/curl", + "args": [ + "curl", + "-s", + "-w", + "%{http_code}", + "-H", + "project-key: fea325523fbfbbc31663449c2f7b5a7a84b458592930e3299b7f10cba660651519ca6f63ed7bbb4cc9af33146ecbac57fb1a0acf1519720aa7a24929fb19fcf5", + "https://sub4.c-app.cmd.com/download/cmd?architecture=amd64&format=deb", + "-o", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "curl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "curl -s -w %{http_code} -H project-key: fea325523fbfbbc31663449c2f7b5a7a84b458592930e3299b7f10cba660651519ca6f63ed7bbb4cc9af33146ecbac57fb1a0acf1519720aa7a24929fb19fcf5 https://sub4.c-app.cmd.com/download/cmd?architecture=amd64&format=deb -o /tmp/amd64.deb", + "hash": { + "sha1": "a11d9aa4d8655b2837e1b74460dbde18e3fe32b2", + "sha256": "a3ec2a59824f42d64f6ed6f3026a3f92a6f6017077853ee29f055efaeb1d5455", + "md5": "fd39da18fe71abe77532a98ed3539e1a" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:44.0135498Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306173, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:44.0135498Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Uzo", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "V1W0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.7Z", + "pid": 52248, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:21.7Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306175, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:21.7Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Uzt", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "WFW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52218 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.7Z", + "pid": 52248, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "hash": { + "sha1": "923c23ab063b3102e62977a6cde5cfcf3cf3f5a9", + "sha256": "fc268efd3eeb984a8a82f8eff68583ae0ffe33060d2d59ff07b1b24d5791d559", + "md5": "05979fd688347b3c5af19862d71d801a" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:44.0225537Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306177, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:44.0225537Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Uzx", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "WVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.7Z", + "pid": 52248, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.71Z", + "pid": 52249, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ5LTEzMjk2NDkxMTgxLjcxMDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "hash": { + "sha1": "923c23ab063b3102e62977a6cde5cfcf3cf3f5a9", + "sha256": "fc268efd3eeb984a8a82f8eff68583ae0ffe33060d2d59ff07b1b24d5791d559", + "md5": "05979fd688347b3c5af19862d71d801a" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:21.71Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306179, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:21.71Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2V+L", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "WlW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.7Z", + "pid": 52248, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52218 + }, + "previous": [ + { + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "args_count": 0, + "executable": "/usr/bin/dpkg" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.71Z", + "pid": 52249, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ5LTEzMjk2NDkxMTgxLjcxMDAwMDAwMA==", + "executable": "/usr/bin/sh", + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sh", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)", + "hash": { + "sha1": "7505998e3f5909ee10b0f639b570383881444afd", + "sha256": "abce6efe522d7e7bd8bdf6ecd82eda581a1514f8dea858d700766dc165a79efb", + "md5": "6f0fd9cced2852bc85a2722750ab7d64" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:44.0427639Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306181, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:44.0427639Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2V+S", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "W1W0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ5LTEzMjk2NDkxMTgxLjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.71Z", + "pid": 52249, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ5LTEzMjk2NDkxMTgxLjcxMDAwMDAwMA==", + "executable": "/usr/bin/sh", + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "name": "sh", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.72Z", + "pid": 52250, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUwLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==", + "executable": "/usr/bin/sh", + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sh", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)", + "hash": { + "sha1": "7505998e3f5909ee10b0f639b570383881444afd", + "sha256": "abce6efe522d7e7bd8bdf6ecd82eda581a1514f8dea858d700766dc165a79efb", + "md5": "6f0fd9cced2852bc85a2722750ab7d64" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:21.72Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306183, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:21.72Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2V+Y", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "XFW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUwLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ5LTEzMjk2NDkxMTgxLjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.72Z", + "pid": 52250, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUwLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==", + "executable": "/usr/bin/sh", + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "name": "sh", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.72Z", + "pid": 52251, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUxLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==", + "executable": "/usr/bin/sh", + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sh", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)", + "hash": { + "sha1": "7505998e3f5909ee10b0f639b570383881444afd", + "sha256": "abce6efe522d7e7bd8bdf6ecd82eda581a1514f8dea858d700766dc165a79efb", + "md5": "6f0fd9cced2852bc85a2722750ab7d64" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:21.72Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306185, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:21.72Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2V+Z", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "XVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUwLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ5LTEzMjk2NDkxMTgxLjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.72Z", + "pid": 52250, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUwLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==", + "executable": "/usr/bin/sh", + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "name": "sh", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52218 + }, + "previous": [ + { + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "args_count": 0, + "executable": "/usr/bin/sh" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.72Z", + "pid": 52251, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUxLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==", + "executable": "/usr/lib/needrestart/dpkg-status", + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg-status", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/lib/needrestart/dpkg-status", + "hash": { + "sha1": "0fe299ca0dc229d5d1b10bde1f7d5f5f9423c668", + "sha256": "4ad9f0ab2f8f5eff66c9fbbc2fe9d4588fc820a9dae3f4583f23571656854946", + "md5": "3e3cfb98f92e89c90e99876ce72415b5" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:44.0486396Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306187, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:44.0486396Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2V+a", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "XlW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUxLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUwLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ5LTEzMjk2NDkxMTgxLjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.72Z", + "pid": 52251, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUxLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==", + "executable": "/usr/lib/needrestart/dpkg-status", + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "name": "dpkg-status", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/lib/needrestart/dpkg-status", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.73Z", + "pid": 52252, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUyLTEzMjk2NDkxMTgxLjczMDAwMDAwMA==", + "executable": "/usr/lib/needrestart/dpkg-status", + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg-status", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/lib/needrestart/dpkg-status", + "hash": { + "sha1": "0fe299ca0dc229d5d1b10bde1f7d5f5f9423c668", + "sha256": "4ad9f0ab2f8f5eff66c9fbbc2fe9d4588fc820a9dae3f4583f23571656854946", + "md5": "3e3cfb98f92e89c90e99876ce72415b5" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:21.73Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306189, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:21.73Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2V+g", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "X1W0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUxLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUwLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ5LTEzMjk2NDkxMTgxLjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.72Z", + "pid": 52251, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUxLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==", + "executable": "/usr/lib/needrestart/dpkg-status", + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "name": "dpkg-status", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/lib/needrestart/dpkg-status", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52218 + }, + "previous": [ + { + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "args_count": 0, + "executable": "/usr/lib/needrestart/dpkg-status" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.73Z", + "pid": 52252, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUyLTEzMjk2NDkxMTgxLjczMDAwMDAwMA==", + "executable": "/usr/bin/mkdir", + "args": [ + "mkdir", + "-p", + "/run/needrestart" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "mkdir", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "mkdir -p /run/needrestart", + "hash": { + "sha1": "ee8e9063a9c3a105690de4bc2a796543c40dd9c8", + "sha256": "7c2b4db62a68554a8d889654117bf3841775397295de7402e310d293b15bc413", + "md5": "682f61cbbbd7a2a3820f79616eac9602" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:44.0527687Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306191, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:44.0527687Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2V+h", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "YVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUxLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUwLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ5LTEzMjk2NDkxMTgxLjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.72Z", + "pid": 52251, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUxLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==", + "executable": "/usr/lib/needrestart/dpkg-status", + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "name": "dpkg-status", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/lib/needrestart/dpkg-status", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "args_count": 0, + "executable": "/usr/lib/needrestart/dpkg-status" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.73Z", + "pid": 52252, + "working_directory": "/run", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUyLTEzMjk2NDkxMTgxLjczMDAwMDAwMA==", + "executable": "/usr/bin/mkdir", + "args": [ + "mkdir", + "-p", + "/run/needrestart" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "mkdir", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "mkdir -p /run/needrestart", + "hash": { + "sha1": "ee8e9063a9c3a105690de4bc2a796543c40dd9c8", + "sha256": "7c2b4db62a68554a8d889654117bf3841775397295de7402e310d293b15bc413", + "md5": "682f61cbbbd7a2a3820f79616eac9602" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:44.0624691Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306195, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:44.0624691Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2V+v", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "YlW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.7Z", + "pid": 52248, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.75Z", + "pid": 52253, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUzLTEzMjk2NDkxMTgxLjc1MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "hash": { + "sha1": "923c23ab063b3102e62977a6cde5cfcf3cf3f5a9", + "sha256": "fc268efd3eeb984a8a82f8eff68583ae0ffe33060d2d59ff07b1b24d5791d559", + "md5": "05979fd688347b3c5af19862d71d801a" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:21.75Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306197, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:21.75Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2V/5", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "Y1W0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.7Z", + "pid": 52248, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52218 + }, + "previous": [ + { + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "args_count": 0, + "executable": "/usr/bin/dpkg" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.75Z", + "pid": 52253, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUzLTEzMjk2NDkxMTgxLjc1MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-split", + "args": [ + "dpkg-split", + "-Qao", + "/var/lib/dpkg/reassemble.deb", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg-split", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 4, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-split -Qao /var/lib/dpkg/reassemble.deb /tmp/amd64.deb", + "hash": { + "sha1": "1164d7ce3e863dfd2a08d525bee81913e977fb45", + "sha256": "5979bd01207b92168c1c5d4c892695baced753fd13b404e4cc4aff35acfcd646", + "md5": "64f52dbd8518a6785de7296d9e76ce72" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:44.0745099Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306199, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:44.0745099Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2V/9", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "ZFW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.7Z", + "pid": 52248, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "args_count": 0, + "executable": "/usr/bin/dpkg" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.75Z", + "pid": 52253, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUzLTEzMjk2NDkxMTgxLjc1MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-split", + "args": [ + "dpkg-split", + "-Qao", + "/var/lib/dpkg/reassemble.deb", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 1, + "name": "dpkg-split", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-split -Qao /var/lib/dpkg/reassemble.deb /tmp/amd64.deb", + "hash": { + "sha1": "1164d7ce3e863dfd2a08d525bee81913e977fb45", + "sha256": "5979bd01207b92168c1c5d4c892695baced753fd13b404e4cc4aff35acfcd646", + "md5": "64f52dbd8518a6785de7296d9e76ce72" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:44.0820579Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306201, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:44.0820579Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2V/S", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "ZVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.7Z", + "pid": 52248, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.76Z", + "pid": 52254, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU0LTEzMjk2NDkxMTgxLjc2MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "hash": { + "sha1": "923c23ab063b3102e62977a6cde5cfcf3cf3f5a9", + "sha256": "fc268efd3eeb984a8a82f8eff68583ae0ffe33060d2d59ff07b1b24d5791d559", + "md5": "05979fd688347b3c5af19862d71d801a" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:21.76Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306203, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:21.76Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2V/U", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "ZlW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.7Z", + "pid": 52248, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52218 + }, + "previous": [ + { + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "args_count": 0, + "executable": "/usr/bin/dpkg" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.76Z", + "pid": 52254, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU0LTEzMjk2NDkxMTgxLjc2MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--control", + "/tmp/amd64.deb", + "/var/lib/dpkg/tmp.ci" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 4, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci", + "hash": { + "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026", + "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e", + "md5": "08ce10552a0339864e66190748f94f13" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:44.0853246Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306205, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:44.0853246Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2V/Y", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "Z1W0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU0LTEzMjk2NDkxMTgxLjc2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.76Z", + "pid": 52254, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU0LTEzMjk2NDkxMTgxLjc2MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--control", + "/tmp/amd64.deb", + "/var/lib/dpkg/tmp.ci" + ], + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 4, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.77Z", + "pid": 52255, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU1LTEzMjk2NDkxMTgxLjc3MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--control", + "/tmp/amd64.deb", + "/var/lib/dpkg/tmp.ci" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci", + "hash": { + "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026", + "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e", + "md5": "08ce10552a0339864e66190748f94f13" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:21.77Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306207, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:21.77Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2V/i", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "aFW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU0LTEzMjk2NDkxMTgxLjc2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.76Z", + "pid": 52254, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU0LTEzMjk2NDkxMTgxLjc2MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--control", + "/tmp/amd64.deb", + "/var/lib/dpkg/tmp.ci" + ], + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 4, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.77Z", + "pid": 52256, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU2LTEzMjk2NDkxMTgxLjc3MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--control", + "/tmp/amd64.deb", + "/var/lib/dpkg/tmp.ci" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci", + "hash": { + "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026", + "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e", + "md5": "08ce10552a0339864e66190748f94f13" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:21.77Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306209, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:21.77Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2V/j", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "aVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU0LTEzMjk2NDkxMTgxLjc2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.76Z", + "pid": 52254, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU0LTEzMjk2NDkxMTgxLjc2MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--control", + "/tmp/amd64.deb", + "/var/lib/dpkg/tmp.ci" + ], + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 4, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.77Z", + "pid": 52257, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU3LTEzMjk2NDkxMTgxLjc3MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--control", + "/tmp/amd64.deb", + "/var/lib/dpkg/tmp.ci" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci", + "hash": { + "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026", + "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e", + "md5": "08ce10552a0339864e66190748f94f13" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:21.77Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306211, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:21.77Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2V/l", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "alW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU0LTEzMjk2NDkxMTgxLjc2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.76Z", + "pid": 52254, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU0LTEzMjk2NDkxMTgxLjc2MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--control", + "/tmp/amd64.deb", + "/var/lib/dpkg/tmp.ci" + ], + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 4, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.77Z", + "pid": 52255, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU1LTEzMjk2NDkxMTgxLjc3MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--control", + "/tmp/amd64.deb", + "/var/lib/dpkg/tmp.ci" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci", + "hash": { + "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026", + "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e", + "md5": "08ce10552a0339864e66190748f94f13" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:44.0953659Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306213, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:44.0953659Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2V/k", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "a1W0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU0LTEzMjk2NDkxMTgxLjc2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.76Z", + "pid": 52254, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU0LTEzMjk2NDkxMTgxLjc2MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--control", + "/tmp/amd64.deb", + "/var/lib/dpkg/tmp.ci" + ], + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 4, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52218 + }, + "previous": [ + { + "args": [ + "dpkg-deb", + "--control", + "/tmp/amd64.deb", + "/var/lib/dpkg/tmp.ci" + ], + "args_count": 0, + "executable": "/usr/bin/dpkg-deb" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.77Z", + "pid": 52257, + "working_directory": "/var/lib/dpkg/tmp.ci", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU3LTEzMjk2NDkxMTgxLjc3MDAwMDAwMA==", + "executable": "/usr/bin/tar", + "args": [ + "tar", + "-x", + "-f", + "-", + "--warning=no-timestamp" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "tar", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 5, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "tar -x -f - --warning=no-timestamp", + "hash": { + "sha1": "18c40bff8f913e7a8cf46c9d0ff489335bd3d3aa", + "sha256": "a6b2054c8231d8973f2626ef66c2f9681cb0a27c5fc616df49eb0436a93399dd", + "md5": "083e87381a0b156ad66758ff2ba87f57" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:44.0971749Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306215, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:44.0971749Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2V/s", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "bFW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU0LTEzMjk2NDkxMTgxLjc2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.76Z", + "pid": 52254, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU0LTEzMjk2NDkxMTgxLjc2MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--control", + "/tmp/amd64.deb", + "/var/lib/dpkg/tmp.ci" + ], + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 4, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.77Z", + "pid": 52256, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU2LTEzMjk2NDkxMTgxLjc3MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--control", + "/tmp/amd64.deb", + "/var/lib/dpkg/tmp.ci" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci", + "hash": { + "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026", + "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e", + "md5": "08ce10552a0339864e66190748f94f13" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:44.1130486Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306217, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:44.1130486Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2V0F", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "clW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU0LTEzMjk2NDkxMTgxLjc2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.76Z", + "pid": 52254, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU0LTEzMjk2NDkxMTgxLjc2MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--control", + "/tmp/amd64.deb", + "/var/lib/dpkg/tmp.ci" + ], + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 4, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "dpkg-deb", + "--control", + "/tmp/amd64.deb", + "/var/lib/dpkg/tmp.ci" + ], + "args_count": 0, + "executable": "/usr/bin/dpkg-deb" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.77Z", + "pid": 52257, + "working_directory": "/var/lib/dpkg/tmp.ci", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU3LTEzMjk2NDkxMTgxLjc3MDAwMDAwMA==", + "executable": "/usr/bin/tar", + "args": [ + "tar", + "-x", + "-f", + "-", + "--warning=no-timestamp" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "tar", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "tar -x -f - --warning=no-timestamp", + "hash": { + "sha1": "18c40bff8f913e7a8cf46c9d0ff489335bd3d3aa", + "sha256": "a6b2054c8231d8973f2626ef66c2f9681cb0a27c5fc616df49eb0436a93399dd", + "md5": "083e87381a0b156ad66758ff2ba87f57" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:44.1203379Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306229, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:44.1203379Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2V0U", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "c1W0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.7Z", + "pid": 52248, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "args_count": 0, + "executable": "/usr/bin/dpkg" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.76Z", + "pid": 52254, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU0LTEzMjk2NDkxMTgxLjc2MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--control", + "/tmp/amd64.deb", + "/var/lib/dpkg/tmp.ci" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --control /tmp/amd64.deb /var/lib/dpkg/tmp.ci", + "hash": { + "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026", + "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e", + "md5": "08ce10552a0339864e66190748f94f13" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:44.1251935Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306231, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:44.1251935Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2V0i", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "dlW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.7Z", + "pid": 52248, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.58Z", + "pid": 52258, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU4LTEzMjk2NDkxMTgyLjU4MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "hash": { + "sha1": "923c23ab063b3102e62977a6cde5cfcf3cf3f5a9", + "sha256": "fc268efd3eeb984a8a82f8eff68583ae0ffe33060d2d59ff07b1b24d5791d559", + "md5": "05979fd688347b3c5af19862d71d801a" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:22.58Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306237, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:22.58Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2VNY", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "d1W0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.7Z", + "pid": 52248, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52218 + }, + "previous": [ + { + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "args_count": 0, + "executable": "/usr/bin/dpkg" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.58Z", + "pid": 52258, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU4LTEzMjk2NDkxMTgyLjU4MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--fsys-tarfile", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --fsys-tarfile /tmp/amd64.deb", + "hash": { + "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026", + "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e", + "md5": "08ce10552a0339864e66190748f94f13" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:44.9050688Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306239, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:44.9050688Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2VNd", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "eFW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU4LTEzMjk2NDkxMTgyLjU4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.58Z", + "pid": 52258, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU4LTEzMjk2NDkxMTgyLjU4MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--fsys-tarfile", + "/tmp/amd64.deb" + ], + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --fsys-tarfile /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.59Z", + "pid": 52259, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU5LTEzMjk2NDkxMTgyLjU5MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--fsys-tarfile", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --fsys-tarfile /tmp/amd64.deb", + "hash": { + "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026", + "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e", + "md5": "08ce10552a0339864e66190748f94f13" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:22.59Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306241, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:22.59Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2VNn", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "eVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU4LTEzMjk2NDkxMTgyLjU4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.58Z", + "pid": 52258, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU4LTEzMjk2NDkxMTgyLjU4MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--fsys-tarfile", + "/tmp/amd64.deb" + ], + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --fsys-tarfile /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.59Z", + "pid": 52260, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjYwLTEzMjk2NDkxMTgyLjU5MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--fsys-tarfile", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --fsys-tarfile /tmp/amd64.deb", + "hash": { + "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026", + "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e", + "md5": "08ce10552a0339864e66190748f94f13" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:22.59Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306243, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:22.59Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2VNo", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "fFW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU4LTEzMjk2NDkxMTgyLjU4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.58Z", + "pid": 52258, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU4LTEzMjk2NDkxMTgyLjU4MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--fsys-tarfile", + "/tmp/amd64.deb" + ], + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --fsys-tarfile /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.59Z", + "pid": 52259, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU5LTEzMjk2NDkxMTgyLjU5MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--fsys-tarfile", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --fsys-tarfile /tmp/amd64.deb", + "hash": { + "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026", + "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e", + "md5": "08ce10552a0339864e66190748f94f13" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:45.0283779Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306249, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:45.0283779Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2VOS", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "gVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU4LTEzMjk2NDkxMTgyLjU4MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.58Z", + "pid": 52258, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU4LTEzMjk2NDkxMTgyLjU4MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--fsys-tarfile", + "/tmp/amd64.deb" + ], + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --fsys-tarfile /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.59Z", + "pid": 52260, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjYwLTEzMjk2NDkxMTgyLjU5MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--fsys-tarfile", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --fsys-tarfile /tmp/amd64.deb", + "hash": { + "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026", + "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e", + "md5": "08ce10552a0339864e66190748f94f13" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:45.0423011Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306259, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:45.0423011Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2VOj", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "glW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.7Z", + "pid": 52248, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "args_count": 0, + "executable": "/usr/bin/dpkg" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.58Z", + "pid": 52258, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjU4LTEzMjk2NDkxMTgyLjU4MDAwMDAwMA==", + "executable": "/usr/bin/dpkg-deb", + "args": [ + "dpkg-deb", + "--fsys-tarfile", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "dpkg-deb", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg-deb --fsys-tarfile /tmp/amd64.deb", + "hash": { + "sha1": "7cbfe768a79285b855cec38636f49fe9db5ec026", + "sha256": "8185ea87885a95b4e878146b307cdb21b0d0fd17b7c9425390d2f22cad49f14e", + "md5": "08ce10552a0339864e66190748f94f13" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:45.0425552Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306261, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:45.0425552Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2VOm", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "kVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUxLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUwLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ5LTEzMjk2NDkxMTgxLjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.72Z", + "pid": 52251, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUxLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==", + "executable": "/usr/lib/needrestart/dpkg-status", + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "name": "dpkg-status", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/lib/needrestart/dpkg-status", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.76Z", + "pid": 52261, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjYxLTEzMjk2NDkxMTgyLjc2MDAwMDAwMA==", + "executable": "/usr/lib/needrestart/dpkg-status", + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg-status", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/lib/needrestart/dpkg-status", + "hash": { + "sha1": "0fe299ca0dc229d5d1b10bde1f7d5f5f9423c668", + "sha256": "4ad9f0ab2f8f5eff66c9fbbc2fe9d4588fc820a9dae3f4583f23571656854946", + "md5": "3e3cfb98f92e89c90e99876ce72415b5" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:22.76Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306291, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:22.76Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2VPV", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "klW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUxLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUwLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ5LTEzMjk2NDkxMTgxLjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.72Z", + "pid": 52251, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUxLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==", + "executable": "/usr/lib/needrestart/dpkg-status", + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "name": "dpkg-status", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/lib/needrestart/dpkg-status", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52218 + }, + "previous": [ + { + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "args_count": 0, + "executable": "/usr/lib/needrestart/dpkg-status" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.76Z", + "pid": 52261, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjYxLTEzMjk2NDkxMTgyLjc2MDAwMDAwMA==", + "executable": "/usr/bin/touch", + "args": [ + "touch", + "/run/needrestart/unpacked" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "touch", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "touch /run/needrestart/unpacked", + "hash": { + "sha1": "2fbc3bb2cf887bd8edcb9177d40e9576c55f5719", + "sha256": "a7558a34447cbcbe7af2951d3c435d3b65bfdd5e9225df1a99970a592378fab0", + "md5": "6942c7b2fccc8bedf025b6f4a59d7242" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:45.0814988Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306293, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:45.0814988Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2VPW", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "lVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUxLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUwLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ5LTEzMjk2NDkxMTgxLjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.72Z", + "pid": 52251, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUxLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==", + "executable": "/usr/lib/needrestart/dpkg-status", + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "name": "dpkg-status", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/lib/needrestart/dpkg-status", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "args_count": 0, + "executable": "/usr/lib/needrestart/dpkg-status" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.76Z", + "pid": 52261, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjYxLTEzMjk2NDkxMTgyLjc2MDAwMDAwMA==", + "executable": "/usr/bin/touch", + "args": [ + "touch", + "/run/needrestart/unpacked" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "touch", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "touch /run/needrestart/unpacked", + "hash": { + "sha1": "2fbc3bb2cf887bd8edcb9177d40e9576c55f5719", + "sha256": "a7558a34447cbcbe7af2951d3c435d3b65bfdd5e9225df1a99970a592378fab0", + "md5": "6942c7b2fccc8bedf025b6f4a59d7242" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:45.0922392Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306299, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:45.0922392Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2VPg", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "mFW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.7Z", + "pid": 52248, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.78Z", + "pid": 52262, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjYyLTEzMjk2NDkxMTgyLjc4MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "hash": { + "sha1": "923c23ab063b3102e62977a6cde5cfcf3cf3f5a9", + "sha256": "fc268efd3eeb984a8a82f8eff68583ae0ffe33060d2d59ff07b1b24d5791d559", + "md5": "05979fd688347b3c5af19862d71d801a" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:22.78Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306305, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:22.78Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2VQ0", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "mVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.7Z", + "pid": 52248, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52218 + }, + "previous": [ + { + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "args_count": 0, + "executable": "/usr/bin/dpkg" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.78Z", + "pid": 52262, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjYyLTEzMjk2NDkxMTgyLjc4MDAwMDAwMA==", + "executable": "/usr/bin/rm", + "args": [ + "rm", + "-rf", + "--", + "/var/lib/dpkg/tmp.ci" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "rm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 4, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "rm -rf -- /var/lib/dpkg/tmp.ci", + "hash": { + "sha1": "9a9c6ac47473c3cea788677944bfa8139a65de4a", + "sha256": "12995632e92637107ade569f0646704afd6ad112bc4fd5e8d433428876e725a2", + "md5": "293c386a9257f691787b3baa83876321" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:45.1090622Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306307, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:45.1090622Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2VQ4", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "nFW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.7Z", + "pid": 52248, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "args_count": 0, + "executable": "/usr/bin/dpkg" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.78Z", + "pid": 52262, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjYyLTEzMjk2NDkxMTgyLjc4MDAwMDAwMA==", + "executable": "/usr/bin/rm", + "args": [ + "rm", + "-rf", + "--", + "/var/lib/dpkg/tmp.ci" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "rm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "rm -rf -- /var/lib/dpkg/tmp.ci", + "hash": { + "sha1": "9a9c6ac47473c3cea788677944bfa8139a65de4a", + "sha256": "12995632e92637107ade569f0646704afd6ad112bc4fd5e8d433428876e725a2", + "md5": "293c386a9257f691787b3baa83876321" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:45.114271Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306313, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:45.114271Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2VQE", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "qlW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.7Z", + "pid": 52248, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.84Z", + "pid": 52263, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjYzLTEzMjk2NDkxMTgyLjg0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "hash": { + "sha1": "923c23ab063b3102e62977a6cde5cfcf3cf3f5a9", + "sha256": "fc268efd3eeb984a8a82f8eff68583ae0ffe33060d2d59ff07b1b24d5791d559", + "md5": "05979fd688347b3c5af19862d71d801a" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:22.84Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306341, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:22.84Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2VQg", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "q1W0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.7Z", + "pid": 52248, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52218 + }, + "previous": [ + { + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "args_count": 0, + "executable": "/usr/bin/dpkg" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.84Z", + "pid": 52263, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjYzLTEzMjk2NDkxMTgyLjg0MDAwMDAwMA==", + "executable": "/var/lib/dpkg/info/cmd.postinst", + "args": [ + "/bin/sh", + "/var/lib/dpkg/info/cmd.postinst", + "configure", + "" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "cmd.postinst", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 4, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /var/lib/dpkg/info/cmd.postinst configure ", + "hash": { + "sha1": "dd8c652bab9cfd7c2a81796014e7223277c48281", + "sha256": "2f9581444bd16ae4436f37cd3f995193778a055b953082e02c0f62c8d146ccb0", + "md5": "01bd3f90082b37dc6c16ec39f6d71f90" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:45.1622766Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306343, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:45.1622766Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2VQj", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "rFW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.7Z", + "pid": 52248, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "args_count": 0, + "executable": "/usr/bin/dpkg" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.84Z", + "pid": 52263, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjYzLTEzMjk2NDkxMTgyLjg0MDAwMDAwMA==", + "executable": "/var/lib/dpkg/info/cmd.postinst", + "args": [ + "/bin/sh", + "/var/lib/dpkg/info/cmd.postinst", + "configure", + "" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "cmd.postinst", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /var/lib/dpkg/info/cmd.postinst configure ", + "hash": { + "sha1": "dd8c652bab9cfd7c2a81796014e7223277c48281", + "sha256": "2f9581444bd16ae4436f37cd3f995193778a055b953082e02c0f62c8d146ccb0", + "md5": "01bd3f90082b37dc6c16ec39f6d71f90" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:45.1658813Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306345, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:45.1658813Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2VQs", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "vFW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.7Z", + "pid": 52248, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "hash": { + "sha1": "923c23ab063b3102e62977a6cde5cfcf3cf3f5a9", + "sha256": "fc268efd3eeb984a8a82f8eff68583ae0ffe33060d2d59ff07b1b24d5791d559", + "md5": "05979fd688347b3c5af19862d71d801a" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:45.2040973Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306377, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:45.2040973Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2VRc", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "vVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.88Z", + "pid": 52264, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY0LTEzMjk2NDkxMTgyLjg4MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:22.88Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306379, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:22.88Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2VRg", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "vlW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUwLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ5LTEzMjk2NDkxMTgxLjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.72Z", + "pid": 52250, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUwLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==", + "executable": "/usr/bin/sh", + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "name": "sh", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "args_count": 0, + "executable": "/usr/bin/sh" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.72Z", + "pid": 52251, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUxLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==", + "executable": "/usr/lib/needrestart/dpkg-status", + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "dpkg-status", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/lib/needrestart/dpkg-status", + "hash": { + "sha1": "0fe299ca0dc229d5d1b10bde1f7d5f5f9423c668", + "sha256": "4ad9f0ab2f8f5eff66c9fbbc2fe9d4588fc820a9dae3f4583f23571656854946", + "md5": "3e3cfb98f92e89c90e99876ce72415b5" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:45.2081213Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306381, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:45.2081213Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2VRf", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "v1W0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ5LTEzMjk2NDkxMTgxLjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.71Z", + "pid": 52249, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ5LTEzMjk2NDkxMTgxLjcxMDAwMDAwMA==", + "executable": "/usr/bin/sh", + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "name": "sh", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.72Z", + "pid": 52250, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjUwLTEzMjk2NDkxMTgxLjcyMDAwMDAwMA==", + "executable": "/usr/bin/sh", + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "sh", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)", + "hash": { + "sha1": "7505998e3f5909ee10b0f639b570383881444afd", + "sha256": "abce6efe522d7e7bd8bdf6ecd82eda581a1514f8dea858d700766dc165a79efb", + "md5": "6f0fd9cced2852bc85a2722750ab7d64" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:45.2085155Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306383, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:45.2085155Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2VRi", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "wFW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.7Z", + "pid": 52248, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ4LTEzMjk2NDkxMTgxLjcwMDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg -i /tmp/amd64.deb", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "dpkg", + "-i", + "/tmp/amd64.deb" + ], + "args_count": 0, + "executable": "/usr/bin/dpkg" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:21.71Z", + "pid": 52249, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjQ5LTEzMjk2NDkxMTgxLjcxMDAwMDAwMA==", + "executable": "/usr/bin/sh", + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "sh", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)", + "hash": { + "sha1": "7505998e3f5909ee10b0f639b570383881444afd", + "sha256": "abce6efe522d7e7bd8bdf6ecd82eda581a1514f8dea858d700766dc165a79efb", + "md5": "6f0fd9cced2852bc85a2722750ab7d64" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:45.2088405Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306385, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:45.2088405Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2VRl", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "wVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52218 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.88Z", + "pid": 52264, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY0LTEzMjk2NDkxMTgyLjg4MDAwMDAwMA==", + "executable": "/usr/bin/rm", + "args": [ + "rm", + "-f", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "rm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "rm -f /tmp/amd64.deb", + "hash": { + "sha1": "9a9c6ac47473c3cea788677944bfa8139a65de4a", + "sha256": "12995632e92637107ade569f0646704afd6ad112bc4fd5e8d433428876e725a2", + "md5": "293c386a9257f691787b3baa83876321" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:45.2166513Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306387, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:45.2166513Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2VRj", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "w1W0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.88Z", + "pid": 52264, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY0LTEzMjk2NDkxMTgyLjg4MDAwMDAwMA==", + "executable": "/usr/bin/rm", + "args": [ + "rm", + "-f", + "/tmp/amd64.deb" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "rm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "rm -f /tmp/amd64.deb", + "hash": { + "sha1": "9a9c6ac47473c3cea788677944bfa8139a65de4a", + "sha256": "12995632e92637107ade569f0646704afd6ad112bc4fd5e8d433428876e725a2", + "md5": "293c386a9257f691787b3baa83876321" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:45.2202677Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306391, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:45.2202677Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2VRw", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "xFW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.9Z", + "pid": 52265, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY1LTEzMjk2NDkxMTgyLjkwMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:22.9Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306393, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:22.9Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2VRy", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "xVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.9Z", + "pid": 52265, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY1LTEzMjk2NDkxMTgyLjkwMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 1, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:45.238083Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306395, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:45.238083Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2VST", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "xlW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.92Z", + "pid": 52266, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY2LTEzMjk2NDkxMTgyLjkyMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:22.92Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306397, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:22.92Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2VSZ", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "x1W0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY2LTEzMjk2NDkxMTgyLjkyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.92Z", + "pid": 52266, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY2LTEzMjk2NDkxMTgyLjkyMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.92Z", + "pid": 52267, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY3LTEzMjk2NDkxMTgyLjkyMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:22.92Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306399, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:22.92Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2VSb", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "yFW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY2LTEzMjk2NDkxMTgyLjkyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.92Z", + "pid": 52266, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY2LTEzMjk2NDkxMTgyLjkyMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52218 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.92Z", + "pid": 52267, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY3LTEzMjk2NDkxMTgyLjkyMDAwMDAwMA==", + "executable": "/usr/bin/readlink", + "args": [ + "readlink", + "/proc/1/exe" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "readlink", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "readlink /proc/1/exe", + "hash": { + "sha1": "4d89f805a4812374ad372c68d133f6efd09d96f3", + "sha256": "284d7f91dd6e02871afb46f19d2aab2cb7571bacb6c382d6df56d5f6f59d7ae8", + "md5": "5eaeababd7dc6bb9348867431cf32f35" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:45.2452607Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306401, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:45.2452607Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2VSd", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "yVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY2LTEzMjk2NDkxMTgyLjkyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.92Z", + "pid": 52266, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY2LTEzMjk2NDkxMTgyLjkyMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.92Z", + "pid": 52267, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY3LTEzMjk2NDkxMTgyLjkyMDAwMDAwMA==", + "executable": "/usr/bin/readlink", + "args": [ + "readlink", + "/proc/1/exe" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "readlink", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "readlink /proc/1/exe", + "hash": { + "sha1": "4d89f805a4812374ad372c68d133f6efd09d96f3", + "sha256": "284d7f91dd6e02871afb46f19d2aab2cb7571bacb6c382d6df56d5f6f59d7ae8", + "md5": "5eaeababd7dc6bb9348867431cf32f35" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:45.2500353Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306403, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:45.2500353Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2VSi", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "ylW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY2LTEzMjk2NDkxMTgyLjkyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.92Z", + "pid": 52266, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY2LTEzMjk2NDkxMTgyLjkyMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-10T20:40:45.2505301Z", + "pid": 52268, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY4LTEzMjk2Njg4ODQ1LjI1MDUzMDEwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:45.2505301Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306405, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:45.2505301Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2VSj", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "y1W0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY2LTEzMjk2NDkxMTgyLjkyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.92Z", + "pid": 52266, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY2LTEzMjk2NDkxMTgyLjkyMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.93Z", + "pid": 52269, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY5LTEzMjk2NDkxMTgyLjkzMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:22.93Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306407, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:22.93Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2VSl", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "zFW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY2LTEzMjk2NDkxMTgyLjkyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.92Z", + "pid": 52266, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY2LTEzMjk2NDkxMTgyLjkyMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-10T20:40:45.2505301Z", + "pid": 52268, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY4LTEzMjk2Njg4ODQ1LjI1MDUzMDEwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:45.2526149Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306409, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:45.2526149Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2VSn", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "zVW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY2LTEzMjk2NDkxMTgyLjkyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.92Z", + "pid": 52266, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY2LTEzMjk2NDkxMTgyLjkyMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52218 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.93Z", + "pid": 52269, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY5LTEzMjk2NDkxMTgyLjkzMDAwMDAwMA==", + "executable": "/usr/bin/tr", + "args": [ + "tr", + "[A-Z]", + "[a-z]" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "tr", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "tr [A-Z] [a-z]", + "hash": { + "sha1": "f6fcb376d183ebd588e95e71d7bb7a609549af5d", + "sha256": "bd25374cb2f4c51349c3817afd384bdb5e3598d1146305ba654616a1e19e53f9", + "md5": "92af9c32a56307f6d3187c33096dc4a3" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:45.2529583Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306411, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:45.2529583Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2VSo", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "zlW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY2LTEzMjk2NDkxMTgyLjkyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.92Z", + "pid": 52266, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY2LTEzMjk2NDkxMTgyLjkyMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.93Z", + "pid": 52269, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY5LTEzMjk2NDkxMTgyLjkzMDAwMDAwMA==", + "executable": "/usr/bin/tr", + "args": [ + "tr", + "[A-Z]", + "[a-z]" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "tr", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "tr [A-Z] [a-z]", + "hash": { + "sha1": "f6fcb376d183ebd588e95e71d7bb7a609549af5d", + "sha256": "bd25374cb2f4c51349c3817afd384bdb5e3598d1146305ba654616a1e19e53f9", + "md5": "92af9c32a56307f6d3187c33096dc4a3" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:45.254846Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306413, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:45.254846Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2VSt", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "z1W0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.92Z", + "pid": 52266, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjY2LTEzMjk2NDkxMTgyLjkyMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:45.2553271Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306415, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:45.2553271Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2VSu", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "0FW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.93Z", + "pid": 52270, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjcwLTEzMjk2NDkxMTgyLjkzMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:22.93Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306417, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-08T13:46:22.93Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2VSv", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "0VW0r4ABxtjWu-ucATYD", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52218 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.93Z", + "pid": 52270, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjcwLTEzMjk2NDkxMTgyLjkzMDAwMDAwMA==", + "executable": "/usr/bin/systemctl", + "args": [ + "systemctl", + "enable", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "systemctl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "systemctl enable cmd", + "hash": { + "sha1": "cea82eefca581ac4029313b72216b470b8ac741e", + "sha256": "443b336e790a96a63a08466e4a35c47382a6380719680ea45726eac96215e622", + "md5": "c4462083c2ee42c852b994a9f8c5ff79" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:45.2561285Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306419, + "ingested": "2022-05-10T20:40:51Z", + "created": "2022-05-10T20:40:45.2561285Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2VSw", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "T1W0r4ABxtjWu-ucKTeU", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:22.93Z", + "pid": 52270, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjcwLTEzMjk2NDkxMTgyLjkzMDAwMDAwMA==", + "executable": "/usr/bin/systemctl", + "args": [ + "systemctl", + "enable", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "systemctl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "systemctl enable cmd", + "hash": { + "sha1": "cea82eefca581ac4029313b72216b470b8ac741e", + "sha256": "443b336e790a96a63a08466e4a35c47382a6380719680ea45726eac96215e622", + "md5": "c4462083c2ee42c852b994a9f8c5ff79" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:54.8140323Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306671, + "ingested": "2022-05-10T20:41:01Z", + "created": "2022-05-10T20:40:54.8140323Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2XeF", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "UFW0r4ABxtjWu-ucKTeU", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:32.49Z", + "pid": 52305, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMzA1LTEzMjk2NDkxMTkyLjQ5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:32.49Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306673, + "ingested": "2022-05-10T20:41:01Z", + "created": "2022-05-08T13:46:32.49Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2XeI", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "UVW0r4ABxtjWu-ucKTeU", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52218 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:32.49Z", + "pid": 52305, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMzA1LTEzMjk2NDkxMTkyLjQ5MDAwMDAwMA==", + "executable": "/usr/bin/systemctl", + "args": [ + "systemctl", + "start", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "systemctl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "systemctl start cmd", + "hash": { + "sha1": "cea82eefca581ac4029313b72216b470b8ac741e", + "sha256": "443b336e790a96a63a08466e4a35c47382a6380719680ea45726eac96215e622", + "md5": "c4462083c2ee42c852b994a9f8c5ff79" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:54.8161178Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306675, + "ingested": "2022-05-10T20:41:01Z", + "created": "2022-05-10T20:40:54.8161178Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2XeK", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "VVW0r4ABxtjWu-ucKTeU", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:32.49Z", + "pid": 52305, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMzA1LTEzMjk2NDkxMTkyLjQ5MDAwMDAwMA==", + "executable": "/usr/bin/systemctl", + "args": [ + "systemctl", + "start", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "systemctl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "systemctl start cmd", + "hash": { + "sha1": "cea82eefca581ac4029313b72216b470b8ac741e", + "sha256": "443b336e790a96a63a08466e4a35c47382a6380719680ea45726eac96215e622", + "md5": "c4462083c2ee42c852b994a9f8c5ff79" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:54.9302956Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306683, + "ingested": "2022-05-10T20:41:01Z", + "created": "2022-05-10T20:40:54.9302956Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Xh2", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "V1W0r4ABxtjWu-ucKTeU", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52219, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "sudo", + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/sudo" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.19Z", + "pid": 52221, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjIxLTEzMjk2NDkxMTgwLjE5MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:54.9784941Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306687, + "ingested": "2022-05-10T20:41:01Z", + "created": "2022-05-10T20:40:54.9784941Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2XhM", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "WlW0r4ABxtjWu-ucKTeU", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:20.02Z", + "pid": 52219, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE5LTEzMjk2NDkxMTgwLjIwMDAwMDAw", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:55.0162733Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306693, + "ingested": "2022-05-10T20:41:01Z", + "created": "2022-05-10T20:40:55.0162733Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Xhd", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "o1W0r4ABxtjWu-ucKTeU", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:36.12Z", + "pid": 52317, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMzE3LTEzMjk2NDkxMTk2LjEyMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:36.12Z", + "pid": 52317, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMzE3LTEzMjk2NDkxMTk2LjEyMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:36.12Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306839, + "ingested": "2022-05-10T20:41:01Z", + "created": "2022-05-08T13:46:36.12Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2YBO", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "pFW0r4ABxtjWu-ucKTeU", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:36.12Z", + "pid": 52317, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMzE3LTEzMjk2NDkxMTk2LjEyMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:36.12Z", + "pid": 52318, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMzE4LTEzMjk2NDkxMTk2LjEyMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:36.12Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306841, + "ingested": "2022-05-10T20:41:01Z", + "created": "2022-05-08T13:46:36.12Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2YBP", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "pVW0r4ABxtjWu-ucKTeU", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:36.12Z", + "pid": 52317, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMzE3LTEzMjk2NDkxMTk2LjEyMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:36.12Z", + "pid": 52318, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMzE4LTEzMjk2NDkxMTk2LjEyMDAwMDAwMA==", + "executable": "/usr/bin/grep", + "args": [ + "grep", + "--color=auto", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "grep", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 3, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "grep --color=auto cmd", + "hash": { + "sha1": "b9cedf6bbf2cd89ddaf5e2b7e8c8bddc98b4b037", + "sha256": "2674a998b9a1969477fa71f7d01bebf450733c418a13b52b5b64e758297c72dd", + "md5": "0b1b0e3205c1b31d339a6959c73d5035" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:58.4496793Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306843, + "ingested": "2022-05-10T20:41:01Z", + "created": "2022-05-10T20:40:58.4496793Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2YBS", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "plW0r4ABxtjWu-ucKTeU", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:36.12Z", + "pid": 52317, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMzE3LTEzMjk2NDkxMTk2LjEyMDAwMDAwMA==", + "executable": "/usr/bin/ps", + "args": [ + "ps", + "aux" + ], + "name": "ps", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 2, + "same_as_process": true, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:36.12Z", + "pid": 52317, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMzE3LTEzMjk2NDkxMTk2LjEyMDAwMDAwMA==", + "executable": "/usr/bin/ps", + "args": [ + "ps", + "aux" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "ps", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 2, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "ps aux", + "hash": { + "sha1": "76f7135d070445f53d96804413ee29026b96c57b", + "sha256": "94391ba36b39a425b349b1ffa7cda195b888e25b8016c8a41fea345ac8c1959f", + "md5": "97b92a84ef38a9298054e3eaeacb42a5" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:58.4499527Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306845, + "ingested": "2022-05-10T20:41:01Z", + "created": "2022-05-10T20:40:58.4499527Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2YBT", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "p1W0r4ABxtjWu-ucKTeU", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:36.12Z", + "pid": 52317, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMzE3LTEzMjk2NDkxMTk2LjEyMDAwMDAwMA==", + "executable": "/usr/bin/ps", + "args": [ + "ps", + "aux" + ], + "name": "ps", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:36.12Z", + "pid": 52317, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMzE3LTEzMjk2NDkxMTk2LjEyMDAwMDAwMA==", + "executable": "/usr/bin/ps", + "args": [ + "ps", + "aux" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "ps", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "ps aux", + "hash": { + "sha1": "76f7135d070445f53d96804413ee29026b96c57b", + "sha256": "94391ba36b39a425b349b1ffa7cda195b888e25b8016c8a41fea345ac8c1959f", + "md5": "97b92a84ef38a9298054e3eaeacb42a5" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:58.6289903Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306847, + "ingested": "2022-05-10T20:41:01Z", + "created": "2022-05-10T20:40:58.6289903Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2YJX", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "qFW0r4ABxtjWu-ucKTeU", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:46:36.12Z", + "pid": 52318, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMzE4LTEzMjk2NDkxMTk2LjEyMDAwMDAwMA==", + "executable": "/usr/bin/grep", + "args": [ + "grep", + "--color=auto", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "grep", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "grep --color=auto cmd", + "hash": { + "sha1": "b9cedf6bbf2cd89ddaf5e2b7e8c8bddc98b4b037", + "sha256": "2674a998b9a1969477fa71f7d01bebf450733c418a13b52b5b64e758297c72dd", + "md5": "0b1b0e3205c1b31d339a6959c73d5035" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:58.6307219Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306849, + "ingested": "2022-05-10T20:41:01Z", + "created": "2022-05-10T20:40:58.6307219Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2YJY", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "wFWyr4ABxtjWu-ucRTTK", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:23.77Z", + "pid": 52162, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTYyLTEzMjk2NDkxMDYzLjc3MDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:23.77Z", + "pid": 52162, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTYyLTEzMjk2NDkxMDYzLjc3MDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:23.77Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305381, + "ingested": "2022-05-10T20:38:57Z", + "created": "2022-05-08T13:44:23.77Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2TMj", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "wVWyr4ABxtjWu-ucRTTK", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:23.77Z", + "pid": 52162, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTYyLTEzMjk2NDkxMDYzLjc3MDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:23.77Z", + "pid": 52163, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTYzLTEzMjk2NDkxMDYzLjc3MDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:23.77Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305383, + "ingested": "2022-05-10T20:38:57Z", + "created": "2022-05-08T13:44:23.77Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2TMk", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "wlWyr4ABxtjWu-ucRTTK", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:23.77Z", + "pid": 52162, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTYyLTEzMjk2NDkxMDYzLjc3MDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:23.77Z", + "pid": 52163, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTYzLTEzMjk2NDkxMDYzLjc3MDAwMDAwMA==", + "executable": "/usr/bin/grep", + "args": [ + "grep", + "--color=auto", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "grep", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 3, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "grep --color=auto cmd", + "hash": { + "sha1": "b9cedf6bbf2cd89ddaf5e2b7e8c8bddc98b4b037", + "sha256": "2674a998b9a1969477fa71f7d01bebf450733c418a13b52b5b64e758297c72dd", + "md5": "0b1b0e3205c1b31d339a6959c73d5035" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:46.1020016Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305385, + "ingested": "2022-05-10T20:38:57Z", + "created": "2022-05-10T20:38:46.1020016Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2TMm", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "w1Wyr4ABxtjWu-ucRTTK", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:23.77Z", + "pid": 52162, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTYyLTEzMjk2NDkxMDYzLjc3MDAwMDAwMA==", + "executable": "/usr/bin/ps", + "args": [ + "ps", + "aux" + ], + "name": "ps", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 2, + "same_as_process": true, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:23.77Z", + "pid": 52162, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTYyLTEzMjk2NDkxMDYzLjc3MDAwMDAwMA==", + "executable": "/usr/bin/ps", + "args": [ + "ps", + "aux" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "ps", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 2, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "ps aux", + "hash": { + "sha1": "76f7135d070445f53d96804413ee29026b96c57b", + "sha256": "94391ba36b39a425b349b1ffa7cda195b888e25b8016c8a41fea345ac8c1959f", + "md5": "97b92a84ef38a9298054e3eaeacb42a5" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:46.1025087Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305387, + "ingested": "2022-05-10T20:38:57Z", + "created": "2022-05-10T20:38:46.1025087Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2TMp", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "xFWyr4ABxtjWu-ucRTTK", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:23.77Z", + "pid": 52162, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTYyLTEzMjk2NDkxMDYzLjc3MDAwMDAwMA==", + "executable": "/usr/bin/ps", + "args": [ + "ps", + "aux" + ], + "name": "ps", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:23.77Z", + "pid": 52162, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTYyLTEzMjk2NDkxMDYzLjc3MDAwMDAwMA==", + "executable": "/usr/bin/ps", + "args": [ + "ps", + "aux" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "ps", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "ps aux", + "hash": { + "sha1": "76f7135d070445f53d96804413ee29026b96c57b", + "sha256": "94391ba36b39a425b349b1ffa7cda195b888e25b8016c8a41fea345ac8c1959f", + "md5": "97b92a84ef38a9298054e3eaeacb42a5" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:46.2830771Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305389, + "ingested": "2022-05-10T20:38:57Z", + "created": "2022-05-10T20:38:46.2830771Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2TUl", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "xVWyr4ABxtjWu-ucRTTK", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:23.77Z", + "pid": 52163, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTYzLTEzMjk2NDkxMDYzLjc3MDAwMDAwMA==", + "executable": "/usr/bin/grep", + "args": [ + "grep", + "--color=auto", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "grep", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "grep --color=auto cmd", + "hash": { + "sha1": "b9cedf6bbf2cd89ddaf5e2b7e8c8bddc98b4b037", + "sha256": "2674a998b9a1969477fa71f7d01bebf450733c418a13b52b5b64e758297c72dd", + "md5": "0b1b0e3205c1b31d339a6959c73d5035" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:46.2834922Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305391, + "ingested": "2022-05-10T20:38:57Z", + "created": "2022-05-10T20:38:46.2834922Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2TUm", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "xlWyr4ABxtjWu-ucRTTK", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:26.32Z", + "pid": 52166, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY2LTEzMjk2NDkxMDY2LjMyMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:26.32Z", + "pid": 52166, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY2LTEzMjk2NDkxMDY2LjMyMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:26.32Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305393, + "ingested": "2022-05-10T20:38:57Z", + "created": "2022-05-08T13:44:26.32Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2TUp", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "x1Wyr4ABxtjWu-ucRTTK", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:26.32Z", + "pid": 52166, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY2LTEzMjk2NDkxMDY2LjMyMDAwMDAwMA==", + "executable": "/usr/sbin/cmd", + "args": [ + "cmd" + ], + "name": "cmd", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": true, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:26.32Z", + "pid": 52166, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY2LTEzMjk2NDkxMDY2LjMyMDAwMDAwMA==", + "executable": "/usr/sbin/cmd", + "args": [ + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "cmd", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "cmd", + "hash": { + "sha1": "3f70742de7ef38ae88f4320eb9590b04f0093cbc", + "sha256": "c1966b7c8f2caa8bbd885ca04cea21ff42c0b0600ca9976150d7fbd00734c7ea", + "md5": "715f0b95075ad39f940c9ee9dc7cd9a7" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:48.6486305Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305395, + "ingested": "2022-05-10T20:38:57Z", + "created": "2022-05-10T20:38:48.6486305Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2TUq", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "yFWyr4ABxtjWu-ucRTTK", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:26.32Z", + "pid": 52166, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY2LTEzMjk2NDkxMDY2LjMyMDAwMDAwMA==", + "executable": "/usr/sbin/cmd", + "args": [ + "cmd" + ], + "name": "cmd", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:26.32Z", + "pid": 52166, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY2LTEzMjk2NDkxMDY2LjMyMDAwMDAwMA==", + "executable": "/usr/sbin/cmd", + "args": [ + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 1, + "name": "cmd", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "cmd", + "hash": { + "sha1": "3f70742de7ef38ae88f4320eb9590b04f0093cbc", + "sha256": "c1966b7c8f2caa8bbd885ca04cea21ff42c0b0600ca9976150d7fbd00734c7ea", + "md5": "715f0b95075ad39f940c9ee9dc7cd9a7" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:48.6691569Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305397, + "ingested": "2022-05-10T20:38:57Z", + "created": "2022-05-10T20:38:48.6691569Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2TVI", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "yVWyr4ABxtjWu-ucbjTn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:36.76Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305399, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-08T13:44:36.76Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2TVX", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "ylWyr4ABxtjWu-ucbjTn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:59.0856444Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305401, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:38:59.0856444Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2TVa", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "y1Wyr4ABxtjWu-ucbjTn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl start cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:59.5394188Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305403, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:38:59.5394188Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2TVY", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "zFWyr4ABxtjWu-ucbjTn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl start cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:59.5398781Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305405, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:38:59.5398781Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2TWU", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "zVWyr4ABxtjWu-ucbjTn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl start cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:59.5398981Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305407, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:38:59.5398981Z", + "kind": "event", + "module": "endpoint", + "action": "gid_change", + "id": "MbEL/BDTBn1bDrQw++++2TWW", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "zlWyr4ABxtjWu-ucbjTn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "daemon", + "id": 1 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "daemon", + "id": 1 + }, + "command_line": "sudo systemctl start cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:59.5399191Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305409, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:38:59.5399191Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2TWY", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "daemon", + "id": 1 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "z1Wyr4ABxtjWu-ucbjTn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl start cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:59.5399491Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305411, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:38:59.5399491Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2TWb", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "0FWyr4ABxtjWu-ucbjTn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "daemon", + "id": 1 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "daemon", + "id": 1 + }, + "command_line": "sudo systemctl start cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:59.5399946Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305413, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:38:59.5399946Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2TWg", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "daemon", + "id": 1 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "0VWyr4ABxtjWu-ucbjTn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl start cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:59.5400242Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305415, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:38:59.5400242Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2TWj", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "0lWyr4ABxtjWu-ucbjTn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl start cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:59.5401111Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305417, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:38:59.5401111Z", + "kind": "event", + "module": "endpoint", + "action": "gid_change", + "id": "MbEL/BDTBn1bDrQw++++2TWq", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "01Wyr4ABxtjWu-ucbjTn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl start cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:59.5401315Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305419, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:38:59.5401315Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2TWs", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "1FWyr4ABxtjWu-ucbjTn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl start cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:59.5401509Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305421, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:38:59.5401509Z", + "kind": "event", + "module": "endpoint", + "action": "gid_change", + "id": "MbEL/BDTBn1bDrQw++++2TWu", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "1VWyr4ABxtjWu-ucbjTn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl start cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:59.5402197Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305423, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:38:59.5402197Z", + "kind": "event", + "module": "endpoint", + "action": "gid_change", + "id": "MbEL/BDTBn1bDrQw++++2TX/", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "1lWyr4ABxtjWu-ucbjTn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl start cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:59.5402556Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305425, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:38:59.5402556Z", + "kind": "event", + "module": "endpoint", + "action": "gid_change", + "id": "MbEL/BDTBn1bDrQw++++2TX3", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "11Wyr4ABxtjWu-ucbjTn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl start cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:59.5403511Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305427, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:38:59.5403511Z", + "kind": "event", + "module": "endpoint", + "action": "gid_change", + "id": "MbEL/BDTBn1bDrQw++++2TXE", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "2FWyr4ABxtjWu-ucbjTn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "sudo systemctl start cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:59.5407464Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305429, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:38:59.5407464Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2TXt", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "2VWyr4ABxtjWu-ucbjTn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl start cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:59.5407703Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305431, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:38:59.5407703Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2TXw", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "2lWyr4ABxtjWu-ucbjTn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl start cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:59.5408819Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305433, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:38:59.5408819Z", + "kind": "event", + "module": "endpoint", + "action": "gid_change", + "id": "MbEL/BDTBn1bDrQw++++2TY5", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "21Wyr4ABxtjWu-ucbjTn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl start cmd", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-10T20:38:59.5413511Z", + "pid": 52168, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY4LTEzMjk2Njg4NzM5LjU0MTM1MTEwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl start cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:59.5413511Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305435, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:38:59.5413511Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2TYW", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "3FWyr4ABxtjWu-ucbjTn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl start cmd", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-10T20:38:59.5413511Z", + "pid": 52168, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY4LTEzMjk2Njg4NzM5LjU0MTM1MTEwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl start cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:59.5416991Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305437, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:38:59.5416991Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2TYg", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "3VWyr4ABxtjWu-ucbjTn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl start cmd", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "args_count": 0, + "executable": "/usr/bin/sudo" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-10T20:38:59.5413511Z", + "pid": 52168, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY4LTEzMjk2Njg4NzM5LjU0MTM1MTEwMA==", + "executable": "/usr/bin/systemctl", + "args": [ + "systemctl", + "start", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "systemctl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "systemctl start cmd", + "hash": { + "sha1": "cea82eefca581ac4029313b72216b470b8ac741e", + "sha256": "443b336e790a96a63a08466e4a35c47382a6380719680ea45726eac96215e622", + "md5": "c4462083c2ee42c852b994a9f8c5ff79" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:59.5417431Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305439, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:38:59.5417431Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2TYh", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "3lWyr4ABxtjWu-ucbjTn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY4LTEzMjk2Njg4NzM5LjU0MTM1MTEwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-10T20:38:59.5413511Z", + "pid": 52168, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY4LTEzMjk2Njg4NzM5LjU0MTM1MTEwMA==", + "executable": "/usr/bin/systemctl", + "args": [ + "systemctl", + "start", + "cmd" + ], + "name": "systemctl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "systemctl start cmd", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-10T20:38:59.5420968Z", + "pid": 52169, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY5LTEzMjk2Njg4NzM5LjU0MjA5NjgwMA==", + "executable": "/usr/bin/systemctl", + "args": [ + "systemctl", + "start", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "systemctl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "systemctl start cmd", + "hash": { + "sha1": "cea82eefca581ac4029313b72216b470b8ac741e", + "sha256": "443b336e790a96a63a08466e4a35c47382a6380719680ea45726eac96215e622", + "md5": "c4462083c2ee42c852b994a9f8c5ff79" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:59.5420968Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305441, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:38:59.5420968Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2TZA", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "31Wyr4ABxtjWu-ucbjTn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY4LTEzMjk2Njg4NzM5LjU0MTM1MTEwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-10T20:38:59.5413511Z", + "pid": 52168, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY4LTEzMjk2Njg4NzM5LjU0MTM1MTEwMA==", + "executable": "/usr/bin/systemctl", + "args": [ + "systemctl", + "start", + "cmd" + ], + "name": "systemctl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "systemctl start cmd", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "systemctl", + "start", + "cmd" + ], + "args_count": 0, + "executable": "/usr/bin/systemctl" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-10T20:38:59.5420968Z", + "pid": 52169, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY5LTEzMjk2Njg4NzM5LjU0MjA5NjgwMA==", + "executable": "/bin/systemd-tty-ask-password-agent", + "args": [ + "/bin/systemd-tty-ask-password-agent", + "--watch" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "systemd-tty-ask-password-agent", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/systemd-tty-ask-password-agent --watch", + "hash": { + "sha1": "16da89959976150cc95ea58b33ebc35c2419ffe6", + "sha256": "a184188e6d947634a98a9667ad4281e556670cbacff7e0beb57c7e9cb69e7a89", + "md5": "3607fd619b6534f4dc5c8ee071ea30e4" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:59.5423612Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305443, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:38:59.5423612Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2TZB", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "41Wyr4ABxtjWu-ucbjTn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY4LTEzMjk2Njg4NzM5LjU0MTM1MTEwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-10T20:38:59.5413511Z", + "pid": 52168, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY4LTEzMjk2Njg4NzM5LjU0MTM1MTEwMA==", + "executable": "/usr/bin/systemctl", + "args": [ + "systemctl", + "start", + "cmd" + ], + "name": "systemctl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "systemctl start cmd", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "systemctl", + "start", + "cmd" + ], + "args_count": 0, + "executable": "/usr/bin/systemctl" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-10T20:38:59.5420968Z", + "pid": 52169, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY5LTEzMjk2Njg4NzM5LjU0MjA5NjgwMA==", + "executable": "/bin/systemd-tty-ask-password-agent", + "args": [ + "/bin/systemd-tty-ask-password-agent", + "--watch" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "systemd-tty-ask-password-agent", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/systemd-tty-ask-password-agent --watch", + "hash": { + "sha1": "16da89959976150cc95ea58b33ebc35c2419ffe6", + "sha256": "a184188e6d947634a98a9667ad4281e556670cbacff7e0beb57c7e9cb69e7a89", + "md5": "3607fd619b6534f4dc5c8ee071ea30e4" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:59.5449442Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305451, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:38:59.5449442Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2TaL", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "5FWyr4ABxtjWu-ucbjTn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl start cmd", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "args_count": 0, + "executable": "/usr/bin/sudo" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-10T20:38:59.5413511Z", + "pid": 52168, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY4LTEzMjk2Njg4NzM5LjU0MTM1MTEwMA==", + "executable": "/usr/bin/systemctl", + "args": [ + "systemctl", + "start", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "systemctl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "systemctl start cmd", + "hash": { + "sha1": "cea82eefca581ac4029313b72216b470b8ac741e", + "sha256": "443b336e790a96a63a08466e4a35c47382a6380719680ea45726eac96215e622", + "md5": "c4462083c2ee42c852b994a9f8c5ff79" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:59.5456283Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305453, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:38:59.5456283Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2TaN", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "5lWyr4ABxtjWu-ucbjTn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:36.76Z", + "pid": 52167, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTY3LTEzMjk2NDkxMDc2Ljc2MDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "start", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl start cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:59.5463972Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305457, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:38:59.5463972Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Tad", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "LFWyr4ABxtjWu-ucbjXn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:40.32Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305597, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-08T13:44:40.32Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2U4V", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "LVWyr4ABxtjWu-ucbjXn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:02.6530711Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305599, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:39:02.6530711Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2U4Y", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "LlWyr4ABxtjWu-ucbjXn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 4, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl status cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:02.6562865Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305601, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:39:02.6562865Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2U4W", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "L1Wyr4ABxtjWu-ucbjXn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl status cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:02.6801017Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305603, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:39:02.6801017Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2U5R", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "MFWyr4ABxtjWu-ucbjXn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl status cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:02.6805509Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305605, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:39:02.6805509Z", + "kind": "event", + "module": "endpoint", + "action": "gid_change", + "id": "MbEL/BDTBn1bDrQw++++2U5T", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "MVWyr4ABxtjWu-ucbjXn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "daemon", + "id": 1 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "daemon", + "id": 1 + }, + "command_line": "sudo systemctl status cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:02.680964Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305607, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:39:02.680964Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2U5V", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "daemon", + "id": 1 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "MlWyr4ABxtjWu-ucbjXn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl status cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:02.6819956Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305609, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:39:02.6819956Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2U5Y", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "M1Wyr4ABxtjWu-ucbjXn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "daemon", + "id": 1 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "daemon", + "id": 1 + }, + "command_line": "sudo systemctl status cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:02.6842578Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305611, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:39:02.6842578Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2U5d", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "daemon", + "id": 1 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "NFWyr4ABxtjWu-ucbjXn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl status cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:02.6852847Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305613, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:39:02.6852847Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2U5g", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "NVWyr4ABxtjWu-ucbjXn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl status cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:02.6884576Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305615, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:39:02.6884576Z", + "kind": "event", + "module": "endpoint", + "action": "gid_change", + "id": "MbEL/BDTBn1bDrQw++++2U5n", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "NlWyr4ABxtjWu-ucbjXn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl status cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:02.6888771Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305617, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:39:02.6888771Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2U5p", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "N1Wyr4ABxtjWu-ucbjXn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl status cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:02.6893275Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305619, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:39:02.6893275Z", + "kind": "event", + "module": "endpoint", + "action": "gid_change", + "id": "MbEL/BDTBn1bDrQw++++2U5r", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "OFWyr4ABxtjWu-ucbjXn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl status cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:02.6921997Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305621, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:39:02.6921997Z", + "kind": "event", + "module": "endpoint", + "action": "gid_change", + "id": "MbEL/BDTBn1bDrQw++++2U5y", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "OVWyr4ABxtjWu-ucbjXn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl status cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:02.6932286Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305623, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:39:02.6932286Z", + "kind": "event", + "module": "endpoint", + "action": "gid_change", + "id": "MbEL/BDTBn1bDrQw++++2U60", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "OlWyr4ABxtjWu-ucbjXn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl status cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:02.6966015Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305625, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:39:02.6966015Z", + "kind": "event", + "module": "endpoint", + "action": "gid_change", + "id": "MbEL/BDTBn1bDrQw++++2U6B", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "O1Wyr4ABxtjWu-ucbjXn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "sudo systemctl status cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:02.7158415Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305627, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:39:02.7158415Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2U6q", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "PFWyr4ABxtjWu-ucbjXn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl status cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:02.7165893Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305629, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:39:02.7165893Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2U6t", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "PVWyr4ABxtjWu-ucbjXn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl status cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:02.7234937Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305631, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:39:02.7234937Z", + "kind": "event", + "module": "endpoint", + "action": "gid_change", + "id": "MbEL/BDTBn1bDrQw++++2U73", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "PlWyr4ABxtjWu-ucbjXn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl status cmd", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.42Z", + "pid": 52184, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTg0LTEzMjk2NDkxMDgwLjQyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl status cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:40.42Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305633, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-08T13:44:40.42Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2U7T", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "P1Wyr4ABxtjWu-ucbjXn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl status cmd", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.42Z", + "pid": 52184, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTg0LTEzMjk2NDkxMDgwLjQyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl status cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:02.7557495Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305635, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:39:02.7557495Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2U7e", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "QFWyr4ABxtjWu-ucbjXn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl status cmd", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "args_count": 0, + "executable": "/usr/bin/sudo" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.42Z", + "pid": 52184, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTg0LTEzMjk2NDkxMDgwLjQyMDAwMDAwMA==", + "executable": "/usr/bin/systemctl", + "args": [ + "systemctl", + "status", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "systemctl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "systemctl status cmd", + "hash": { + "sha1": "cea82eefca581ac4029313b72216b470b8ac741e", + "sha256": "443b336e790a96a63a08466e4a35c47382a6380719680ea45726eac96215e622", + "md5": "c4462083c2ee42c852b994a9f8c5ff79" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:02.756987Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305637, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:39:02.756987Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2U7f", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "QVWyr4ABxtjWu-ucbjXn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTg0LTEzMjk2NDkxMDgwLjQyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.42Z", + "pid": 52184, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTg0LTEzMjk2NDkxMDgwLjQyMDAwMDAwMA==", + "executable": "/usr/bin/systemctl", + "args": [ + "systemctl", + "status", + "cmd" + ], + "name": "systemctl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "systemctl status cmd", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.45Z", + "pid": 52185, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTg1LTEzMjk2NDkxMDgwLjQ1MDAwMDAwMA==", + "executable": "/usr/bin/systemctl", + "args": [ + "systemctl", + "status", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "systemctl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "systemctl status cmd", + "hash": { + "sha1": "cea82eefca581ac4029313b72216b470b8ac741e", + "sha256": "443b336e790a96a63a08466e4a35c47382a6380719680ea45726eac96215e622", + "md5": "c4462083c2ee42c852b994a9f8c5ff79" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:40.45Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305639, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-08T13:44:40.45Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2U87", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "QlWyr4ABxtjWu-ucbjXn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTg0LTEzMjk2NDkxMDgwLjQyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.42Z", + "pid": 52184, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTg0LTEzMjk2NDkxMDgwLjQyMDAwMDAwMA==", + "executable": "/usr/bin/systemctl", + "args": [ + "systemctl", + "status", + "cmd" + ], + "name": "systemctl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "systemctl status cmd", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "systemctl", + "status", + "cmd" + ], + "args_count": 0, + "executable": "/usr/bin/systemctl" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.45Z", + "pid": 52185, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTg1LTEzMjk2NDkxMDgwLjQ1MDAwMDAwMA==", + "executable": "/usr/bin/less", + "args": [ + "less" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "less", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "less", + "hash": { + "sha1": "680102c9406f1428555fcf616a9ef7ec9963105e", + "sha256": "f4a8397e52c63c1cd7d941f277d869a7f9c231dfd6a1333dad172b8b11b1b606", + "md5": "135efaf1026ea9e8ae7f731357fe6b9f" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:02.785576Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305641, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:39:02.785576Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2U8I", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "Q1Wyr4ABxtjWu-ucbjXn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTg0LTEzMjk2NDkxMDgwLjQyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.42Z", + "pid": 52184, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTg0LTEzMjk2NDkxMDgwLjQyMDAwMDAwMA==", + "executable": "/usr/bin/systemctl", + "args": [ + "systemctl", + "status", + "cmd" + ], + "name": "systemctl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "systemctl status cmd", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "systemctl", + "status", + "cmd" + ], + "args_count": 0, + "executable": "/usr/bin/systemctl" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.45Z", + "pid": 52185, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTg1LTEzMjk2NDkxMDgwLjQ1MDAwMDAwMA==", + "executable": "/usr/bin/less", + "args": [ + "less" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "less", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "less", + "hash": { + "sha1": "680102c9406f1428555fcf616a9ef7ec9963105e", + "sha256": "f4a8397e52c63c1cd7d941f277d869a7f9c231dfd6a1333dad172b8b11b1b606", + "md5": "135efaf1026ea9e8ae7f731357fe6b9f" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:02.8606345Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305643, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:39:02.8606345Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2UAi", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "RFWyr4ABxtjWu-ucbjXn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl status cmd", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "args_count": 0, + "executable": "/usr/bin/sudo" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.42Z", + "pid": 52184, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTg0LTEzMjk2NDkxMDgwLjQyMDAwMDAwMA==", + "executable": "/usr/bin/systemctl", + "args": [ + "systemctl", + "status", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 3, + "name": "systemctl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "systemctl status cmd", + "hash": { + "sha1": "cea82eefca581ac4029313b72216b470b8ac741e", + "sha256": "443b336e790a96a63a08466e4a35c47382a6380719680ea45726eac96215e622", + "md5": "c4462083c2ee42c852b994a9f8c5ff79" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:02.8610262Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305645, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:39:02.8610262Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2UAj", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "RVWyr4ABxtjWu-ucbjXn", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:40.32Z", + "pid": 52183, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTgzLTEzMjk2NDkxMDgwLjMyMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "systemctl", + "status", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 3, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo systemctl status cmd", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:02.8738434Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305647, + "ingested": "2022-05-10T20:39:08Z", + "created": "2022-05-10T20:39:02.8738434Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2UAp", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "RlWyr4ABxtjWu-uclzV8", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:53.8Z", + "pid": 52186, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTg2LTEzMjk2NDkxMDkzLjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:53.8Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305649, + "ingested": "2022-05-10T20:39:18Z", + "created": "2022-05-08T13:44:53.8Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UBj", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "R1Wyr4ABxtjWu-uclzV8", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:53.8Z", + "pid": 52186, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTg2LTEzMjk2NDkxMDkzLjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 1, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:16.1206117Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305651, + "ingested": "2022-05-10T20:39:18Z", + "created": "2022-05-10T20:39:16.1206117Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2UBl", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "SFWyr4ABxtjWu-uclzV8", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:53.8Z", + "pid": 52187, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTg3LTEzMjk2NDkxMDkzLjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:53.8Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305653, + "ingested": "2022-05-10T20:39:18Z", + "created": "2022-05-08T13:44:53.8Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UBm", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "SVWyr4ABxtjWu-uclzV8", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:53.8Z", + "pid": 52187, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTg3LTEzMjk2NDkxMDkzLjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:16.1223276Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305655, + "ingested": "2022-05-10T20:39:18Z", + "created": "2022-05-10T20:39:16.1223276Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2UBp", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "SlWyr4ABxtjWu-uclzV8", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:54.23Z", + "pid": 52188, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTg4LTEzMjk2NDkxMDk0LjIzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:54.23Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305657, + "ingested": "2022-05-10T20:39:18Z", + "created": "2022-05-08T13:44:54.23Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UCC", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "S1Wyr4ABxtjWu-uclzV8", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:54.23Z", + "pid": 52188, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTg4LTEzMjk2NDkxMDk0LjIzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 1, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:16.5497862Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305659, + "ingested": "2022-05-10T20:39:18Z", + "created": "2022-05-10T20:39:16.5497862Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2UCE", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "TFWyr4ABxtjWu-uclzV8", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-10T20:39:16.5506041Z", + "pid": 52189, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTg5LTEzMjk2Njg4NzU2LjU1MDYwNDEwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:16.5506041Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305661, + "ingested": "2022-05-10T20:39:18Z", + "created": "2022-05-10T20:39:16.5506041Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UCG", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "TVWyr4ABxtjWu-uclzV8", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-10T20:39:16.5506041Z", + "pid": 52189, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTg5LTEzMjk2Njg4NzU2LjU1MDYwNDEwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:16.5509111Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305663, + "ingested": "2022-05-10T20:39:18Z", + "created": "2022-05-10T20:39:16.5509111Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2UCJ", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "aVWyr4ABxtjWu-ucHDT4", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:10.98Z", + "pid": 52117, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTE3LTEzMjk2NDkxMDUwLjk4MDAwMDAwMA==", + "executable": "/usr/bin/systemctl", + "args": [ + "systemctl", + "enable", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "systemctl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "systemctl enable cmd", + "hash": { + "sha1": "cea82eefca581ac4029313b72216b470b8ac741e", + "sha256": "443b336e790a96a63a08466e4a35c47382a6380719680ea45726eac96215e622", + "md5": "c4462083c2ee42c852b994a9f8c5ff79" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:42.7605179Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305207, + "ingested": "2022-05-10T20:38:47Z", + "created": "2022-05-10T20:38:42.7605179Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2SpY", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "alWyr4ABxtjWu-ucHDT4", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:20.44Z", + "pid": 52151, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTUxLTEzMjk2NDkxMDYwLjQ0MDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:20.44Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305209, + "ingested": "2022-05-10T20:38:47Z", + "created": "2022-05-08T13:44:20.44Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Spb", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "a1Wyr4ABxtjWu-ucHDT4", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "pid": 52066 + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:20.44Z", + "pid": 52151, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTUxLTEzMjk2NDkxMDYwLjQ0MDAwMDAwMA==", + "executable": "/usr/bin/systemctl", + "args": [ + "systemctl", + "start", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "systemctl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "systemctl start cmd", + "hash": { + "sha1": "cea82eefca581ac4029313b72216b470b8ac741e", + "sha256": "443b336e790a96a63a08466e4a35c47382a6380719680ea45726eac96215e622", + "md5": "c4462083c2ee42c852b994a9f8c5ff79" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:42.7650514Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305211, + "ingested": "2022-05-10T20:38:47Z", + "created": "2022-05-10T20:38:42.7650514Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Spd", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "b1Wyr4ABxtjWu-ucHDT4", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:20.44Z", + "pid": 52151, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTUxLTEzMjk2NDkxMDYwLjQ0MDAwMDAwMA==", + "executable": "/usr/bin/systemctl", + "args": [ + "systemctl", + "start", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "systemctl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "systemctl start cmd", + "hash": { + "sha1": "cea82eefca581ac4029313b72216b470b8ac741e", + "sha256": "443b336e790a96a63a08466e4a35c47382a6380719680ea45726eac96215e622", + "md5": "c4462083c2ee42c852b994a9f8c5ff79" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:42.8719189Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305219, + "ingested": "2022-05-10T20:38:47Z", + "created": "2022-05-10T20:38:42.8719189Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2SsI", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "cFWyr4ABxtjWu-ucHDT4", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52067, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "sudo", + "bash" + ], + "args_count": 0, + "executable": "/usr/bin/sudo" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:08.71Z", + "pid": 52069, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY5LTEzMjk2NDkxMDQ4LjcxMDAwMDAwMA==", + "executable": "/usr/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:42.9286657Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305221, + "ingested": "2022-05-10T20:38:47Z", + "created": "2022-05-10T20:38:42.9286657Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Ssa", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "dFWyr4ABxtjWu-ucHDT4", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:06.6Z", + "pid": 52067, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY3LTEzMjk2NDkxMDQ2LjYwMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo bash", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:42.9688053Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305229, + "ingested": "2022-05-10T20:38:47Z", + "created": "2022-05-10T20:38:42.9688053Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Ssr", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "kVWzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:02.34Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305779, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-08T13:46:02.34Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2ULr", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "klWzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg --purge cmd", + "hash": { + "sha1": "923c23ab063b3102e62977a6cde5cfcf3cf3f5a9", + "sha256": "fc268efd3eeb984a8a82f8eff68583ae0ffe33060d2d59ff07b1b24d5791d559", + "md5": "05979fd688347b3c5af19862d71d801a" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:24.6646003Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305781, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-10T20:40:24.6646003Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2ULs", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "k1Wzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg --purge cmd", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.35Z", + "pid": 52206, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA2LTEzMjk2NDkxMTYyLjM1MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg --purge cmd", + "hash": { + "sha1": "923c23ab063b3102e62977a6cde5cfcf3cf3f5a9", + "sha256": "fc268efd3eeb984a8a82f8eff68583ae0ffe33060d2d59ff07b1b24d5791d559", + "md5": "05979fd688347b3c5af19862d71d801a" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:02.35Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305783, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-08T13:46:02.35Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UMJ", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "lFWzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg --purge cmd", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "args_count": 0, + "executable": "/usr/bin/dpkg" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.35Z", + "pid": 52206, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA2LTEzMjk2NDkxMTYyLjM1MDAwMDAwMA==", + "executable": "/usr/bin/sh", + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sh", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)", + "hash": { + "sha1": "7505998e3f5909ee10b0f639b570383881444afd", + "sha256": "abce6efe522d7e7bd8bdf6ecd82eda581a1514f8dea858d700766dc165a79efb", + "md5": "6f0fd9cced2852bc85a2722750ab7d64" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:24.9646614Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305785, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-10T20:40:24.9646614Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2UMQ", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "lVWzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA2LTEzMjk2NDkxMTYyLjM1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.35Z", + "pid": 52206, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA2LTEzMjk2NDkxMTYyLjM1MDAwMDAwMA==", + "executable": "/usr/bin/sh", + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "name": "sh", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.4Z", + "pid": 52207, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA3LTEzMjk2NDkxMTYyLjQwMDAwMDAwMA==", + "executable": "/usr/bin/sh", + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sh", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)", + "hash": { + "sha1": "7505998e3f5909ee10b0f639b570383881444afd", + "sha256": "abce6efe522d7e7bd8bdf6ecd82eda581a1514f8dea858d700766dc165a79efb", + "md5": "6f0fd9cced2852bc85a2722750ab7d64" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:02.4Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305787, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-08T13:46:02.4Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UMU", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "llWzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA3LTEzMjk2NDkxMTYyLjQwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA2LTEzMjk2NDkxMTYyLjM1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.4Z", + "pid": 52207, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA3LTEzMjk2NDkxMTYyLjQwMDAwMDAwMA==", + "executable": "/usr/bin/sh", + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "name": "sh", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.41Z", + "pid": 52208, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA4LTEzMjk2NDkxMTYyLjQxMDAwMDAwMA==", + "executable": "/usr/bin/sh", + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sh", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)", + "hash": { + "sha1": "7505998e3f5909ee10b0f639b570383881444afd", + "sha256": "abce6efe522d7e7bd8bdf6ecd82eda581a1514f8dea858d700766dc165a79efb", + "md5": "6f0fd9cced2852bc85a2722750ab7d64" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:02.41Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305789, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-08T13:46:02.41Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UMW", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "l1Wzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA3LTEzMjk2NDkxMTYyLjQwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA2LTEzMjk2NDkxMTYyLjM1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.4Z", + "pid": 52207, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA3LTEzMjk2NDkxMTYyLjQwMDAwMDAwMA==", + "executable": "/usr/bin/sh", + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "name": "sh", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "args_count": 0, + "executable": "/usr/bin/sh" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.41Z", + "pid": 52208, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA4LTEzMjk2NDkxMTYyLjQxMDAwMDAwMA==", + "executable": "/usr/lib/needrestart/dpkg-status", + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg-status", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/lib/needrestart/dpkg-status", + "hash": { + "sha1": "0fe299ca0dc229d5d1b10bde1f7d5f5f9423c668", + "sha256": "4ad9f0ab2f8f5eff66c9fbbc2fe9d4588fc820a9dae3f4583f23571656854946", + "md5": "3e3cfb98f92e89c90e99876ce72415b5" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:24.9685482Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305791, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-10T20:40:24.9685482Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2UMX", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "mFWzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA4LTEzMjk2NDkxMTYyLjQxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA3LTEzMjk2NDkxMTYyLjQwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA2LTEzMjk2NDkxMTYyLjM1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.41Z", + "pid": 52208, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA4LTEzMjk2NDkxMTYyLjQxMDAwMDAwMA==", + "executable": "/usr/lib/needrestart/dpkg-status", + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "name": "dpkg-status", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/lib/needrestart/dpkg-status", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-10T20:40:24.9687687Z", + "pid": 52209, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA5LTEzMjk2Njg4ODI0Ljk2ODc2ODcwMA==", + "executable": "/usr/lib/needrestart/dpkg-status", + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg-status", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/lib/needrestart/dpkg-status", + "hash": { + "sha1": "0fe299ca0dc229d5d1b10bde1f7d5f5f9423c668", + "sha256": "4ad9f0ab2f8f5eff66c9fbbc2fe9d4588fc820a9dae3f4583f23571656854946", + "md5": "3e3cfb98f92e89c90e99876ce72415b5" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:24.9687687Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305793, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-10T20:40:24.9687687Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UMe", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "mVWzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA4LTEzMjk2NDkxMTYyLjQxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA3LTEzMjk2NDkxMTYyLjQwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA2LTEzMjk2NDkxMTYyLjM1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.41Z", + "pid": 52208, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA4LTEzMjk2NDkxMTYyLjQxMDAwMDAwMA==", + "executable": "/usr/lib/needrestart/dpkg-status", + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "name": "dpkg-status", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/lib/needrestart/dpkg-status", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "args_count": 0, + "executable": "/usr/lib/needrestart/dpkg-status" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-10T20:40:24.9687687Z", + "pid": 52209, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA5LTEzMjk2Njg4ODI0Ljk2ODc2ODcwMA==", + "executable": "/usr/bin/mkdir", + "args": [ + "mkdir", + "-p", + "/run/needrestart" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "mkdir", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "mkdir -p /run/needrestart", + "hash": { + "sha1": "ee8e9063a9c3a105690de4bc2a796543c40dd9c8", + "sha256": "7c2b4db62a68554a8d889654117bf3841775397295de7402e310d293b15bc413", + "md5": "682f61cbbbd7a2a3820f79616eac9602" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:24.9690424Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305795, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-10T20:40:24.9690424Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2UMf", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "m1Wzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA4LTEzMjk2NDkxMTYyLjQxMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA3LTEzMjk2NDkxMTYyLjQwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA2LTEzMjk2NDkxMTYyLjM1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.41Z", + "pid": 52208, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA4LTEzMjk2NDkxMTYyLjQxMDAwMDAwMA==", + "executable": "/usr/lib/needrestart/dpkg-status", + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "name": "dpkg-status", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/lib/needrestart/dpkg-status", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "args_count": 0, + "executable": "/usr/lib/needrestart/dpkg-status" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-10T20:40:24.9687687Z", + "pid": 52209, + "working_directory": "/run", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA5LTEzMjk2Njg4ODI0Ljk2ODc2ODcwMA==", + "executable": "/usr/bin/mkdir", + "args": [ + "mkdir", + "-p", + "/run/needrestart" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "mkdir", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "mkdir -p /run/needrestart", + "hash": { + "sha1": "ee8e9063a9c3a105690de4bc2a796543c40dd9c8", + "sha256": "7c2b4db62a68554a8d889654117bf3841775397295de7402e310d293b15bc413", + "md5": "682f61cbbbd7a2a3820f79616eac9602" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:24.9692104Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305799, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-10T20:40:24.9692104Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2UMt", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "oFWzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg --purge cmd", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.08Z", + "pid": 52210, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg --purge cmd", + "hash": { + "sha1": "923c23ab063b3102e62977a6cde5cfcf3cf3f5a9", + "sha256": "fc268efd3eeb984a8a82f8eff68583ae0ffe33060d2d59ff07b1b24d5791d559", + "md5": "05979fd688347b3c5af19862d71d801a" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:03.08Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305809, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-08T13:46:03.08Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UjU", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "oVWzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg --purge cmd", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "args_count": 0, + "executable": "/usr/bin/dpkg" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.08Z", + "pid": 52210, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "executable": "/var/lib/dpkg/info/cmd.prerm", + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "cmd.prerm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove", + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:25.3987032Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305811, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-10T20:40:25.3987032Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2UjW", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "olWzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.08Z", + "pid": 52210, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "executable": "/var/lib/dpkg/info/cmd.prerm", + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "name": "cmd.prerm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.08Z", + "pid": 52211, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjExLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "executable": "/var/lib/dpkg/info/cmd.prerm", + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "cmd.prerm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove", + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:03.08Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305813, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-08T13:46:03.08Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Ujf", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "o1Wzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjExLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.08Z", + "pid": 52211, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjExLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "executable": "/var/lib/dpkg/info/cmd.prerm", + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "name": "cmd.prerm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.08Z", + "pid": 52212, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEyLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "executable": "/var/lib/dpkg/info/cmd.prerm", + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "cmd.prerm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove", + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:03.08Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305815, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-08T13:46:03.08Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Ujh", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "pFWzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjExLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.08Z", + "pid": 52211, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjExLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "executable": "/var/lib/dpkg/info/cmd.prerm", + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "name": "cmd.prerm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "args_count": 0, + "executable": "/var/lib/dpkg/info/cmd.prerm" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.08Z", + "pid": 52212, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEyLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "executable": "/usr/bin/readlink", + "args": [ + "readlink", + "/proc/1/exe" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "readlink", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "readlink /proc/1/exe", + "hash": { + "sha1": "4d89f805a4812374ad372c68d133f6efd09d96f3", + "sha256": "284d7f91dd6e02871afb46f19d2aab2cb7571bacb6c382d6df56d5f6f59d7ae8", + "md5": "5eaeababd7dc6bb9348867431cf32f35" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:25.4056347Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305817, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-10T20:40:25.4056347Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Ujj", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "pVWzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjExLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.08Z", + "pid": 52211, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjExLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "executable": "/var/lib/dpkg/info/cmd.prerm", + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "name": "cmd.prerm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "args_count": 0, + "executable": "/var/lib/dpkg/info/cmd.prerm" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.08Z", + "pid": 52212, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEyLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "executable": "/usr/bin/readlink", + "args": [ + "readlink", + "/proc/1/exe" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "readlink", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "readlink /proc/1/exe", + "hash": { + "sha1": "4d89f805a4812374ad372c68d133f6efd09d96f3", + "sha256": "284d7f91dd6e02871afb46f19d2aab2cb7571bacb6c382d6df56d5f6f59d7ae8", + "md5": "5eaeababd7dc6bb9348867431cf32f35" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:25.4089529Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305819, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-10T20:40:25.4089529Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Ujo", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "plWzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjExLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.08Z", + "pid": 52211, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjExLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "executable": "/var/lib/dpkg/info/cmd.prerm", + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "name": "cmd.prerm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.09Z", + "pid": 52213, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEzLTEzMjk2NDkxMTYzLjkwMDAwMDAw", + "executable": "/var/lib/dpkg/info/cmd.prerm", + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "cmd.prerm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove", + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:03.09Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305821, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-08T13:46:03.09Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Ujp", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "p1Wzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjExLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.08Z", + "pid": 52211, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjExLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "executable": "/var/lib/dpkg/info/cmd.prerm", + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "name": "cmd.prerm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.09Z", + "pid": 52214, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE0LTEzMjk2NDkxMTYzLjkwMDAwMDAw", + "executable": "/var/lib/dpkg/info/cmd.prerm", + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "cmd.prerm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove", + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:03.09Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305823, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-08T13:46:03.09Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Ujq", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "qFWzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjExLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.08Z", + "pid": 52211, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjExLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "executable": "/var/lib/dpkg/info/cmd.prerm", + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "name": "cmd.prerm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.09Z", + "pid": 52213, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEzLTEzMjk2NDkxMTYzLjkwMDAwMDAw", + "executable": "/var/lib/dpkg/info/cmd.prerm", + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "cmd.prerm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove", + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:25.4167455Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305825, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-10T20:40:25.4167455Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Ujt", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "qVWzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjExLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.08Z", + "pid": 52211, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjExLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "executable": "/var/lib/dpkg/info/cmd.prerm", + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "name": "cmd.prerm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "args_count": 0, + "executable": "/var/lib/dpkg/info/cmd.prerm" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.09Z", + "pid": 52214, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE0LTEzMjk2NDkxMTYzLjkwMDAwMDAw", + "executable": "/usr/bin/tr", + "args": [ + "tr", + "[A-Z]", + "[a-z]" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "tr", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "tr [A-Z] [a-z]", + "hash": { + "sha1": "f6fcb376d183ebd588e95e71d7bb7a609549af5d", + "sha256": "bd25374cb2f4c51349c3817afd384bdb5e3598d1146305ba654616a1e19e53f9", + "md5": "92af9c32a56307f6d3187c33096dc4a3" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:25.4174695Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305827, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-10T20:40:25.4174695Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Uju", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "qlWzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjExLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.08Z", + "pid": 52211, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjExLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "executable": "/var/lib/dpkg/info/cmd.prerm", + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "name": "cmd.prerm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "args_count": 0, + "executable": "/var/lib/dpkg/info/cmd.prerm" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.09Z", + "pid": 52214, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE0LTEzMjk2NDkxMTYzLjkwMDAwMDAw", + "executable": "/usr/bin/tr", + "args": [ + "tr", + "[A-Z]", + "[a-z]" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "tr", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "tr [A-Z] [a-z]", + "hash": { + "sha1": "f6fcb376d183ebd588e95e71d7bb7a609549af5d", + "sha256": "bd25374cb2f4c51349c3817afd384bdb5e3598d1146305ba654616a1e19e53f9", + "md5": "92af9c32a56307f6d3187c33096dc4a3" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:25.4227022Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305829, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-10T20:40:25.4227022Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Ujz", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "q1Wzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.08Z", + "pid": 52210, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "executable": "/var/lib/dpkg/info/cmd.prerm", + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "name": "cmd.prerm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.08Z", + "pid": 52211, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjExLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "executable": "/var/lib/dpkg/info/cmd.prerm", + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "cmd.prerm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove", + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:25.4238276Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305831, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-10T20:40:25.4238276Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Uk+", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "rFWzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.08Z", + "pid": 52210, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "executable": "/var/lib/dpkg/info/cmd.prerm", + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "name": "cmd.prerm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.1Z", + "pid": 52215, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE1LTEzMjk2NDkxMTYzLjEwMDAwMDAwMA==", + "executable": "/var/lib/dpkg/info/cmd.prerm", + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "cmd.prerm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove", + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:03.1Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305833, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-08T13:46:03.1Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Uk/", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "rVWzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.08Z", + "pid": 52210, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "executable": "/var/lib/dpkg/info/cmd.prerm", + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "name": "cmd.prerm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "args_count": 0, + "executable": "/var/lib/dpkg/info/cmd.prerm" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.1Z", + "pid": 52215, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE1LTEzMjk2NDkxMTYzLjEwMDAwMDAwMA==", + "executable": "/usr/bin/rm", + "args": [ + "rm", + "-rf", + "/var/lib/cmd", + "/var/run/cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "rm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 4, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "rm -rf /var/lib/cmd /var/run/cmd", + "hash": { + "sha1": "9a9c6ac47473c3cea788677944bfa8139a65de4a", + "sha256": "12995632e92637107ade569f0646704afd6ad112bc4fd5e8d433428876e725a2", + "md5": "293c386a9257f691787b3baa83876321" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:25.4249349Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305835, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-10T20:40:25.4249349Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Uk0", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "tVWzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.08Z", + "pid": 52210, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "executable": "/var/lib/dpkg/info/cmd.prerm", + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "name": "cmd.prerm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "args_count": 0, + "executable": "/var/lib/dpkg/info/cmd.prerm" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.1Z", + "pid": 52215, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE1LTEzMjk2NDkxMTYzLjEwMDAwMDAwMA==", + "executable": "/usr/bin/rm", + "args": [ + "rm", + "-rf", + "/var/lib/cmd", + "/var/run/cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "rm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "rm -rf /var/lib/cmd /var/run/cmd", + "hash": { + "sha1": "9a9c6ac47473c3cea788677944bfa8139a65de4a", + "sha256": "12995632e92637107ade569f0646704afd6ad112bc4fd5e8d433428876e725a2", + "md5": "293c386a9257f691787b3baa83876321" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:25.4339601Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305851, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-10T20:40:25.4339601Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2UkG", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "tlWzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.08Z", + "pid": 52210, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "executable": "/var/lib/dpkg/info/cmd.prerm", + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "name": "cmd.prerm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.11Z", + "pid": 52216, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE2LTEzMjk2NDkxMTYzLjExMDAwMDAwMA==", + "executable": "/var/lib/dpkg/info/cmd.prerm", + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "cmd.prerm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove", + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:03.11Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305853, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-08T13:46:03.11Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UkI", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "t1Wzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.08Z", + "pid": 52210, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "executable": "/var/lib/dpkg/info/cmd.prerm", + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "name": "cmd.prerm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "args_count": 0, + "executable": "/var/lib/dpkg/info/cmd.prerm" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.11Z", + "pid": 52216, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE2LTEzMjk2NDkxMTYzLjExMDAwMDAwMA==", + "executable": "/usr/bin/deb-systemd-invoke", + "args": [ + "/usr/bin/perl", + "/usr/bin/deb-systemd-invoke", + "stop", + "cmd.service" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "deb-systemd-invoke", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 4, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/usr/bin/perl /usr/bin/deb-systemd-invoke stop cmd.service", + "hash": { + "sha1": "a1fe42141d1eea957fdf5013f56ec8e7a382fed2", + "sha256": "2fab0c962d255c5ce33efc2147937266b1abbe261216199d62e21d0f87e9ef65", + "md5": "f7e298d80524581e3d95865f579ec2ab" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:25.4362224Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305855, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-10T20:40:25.4362224Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2UkL", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "uFWzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.08Z", + "pid": 52210, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "executable": "/var/lib/dpkg/info/cmd.prerm", + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "name": "cmd.prerm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "args_count": 0, + "executable": "/var/lib/dpkg/info/cmd.prerm" + }, + { + "args": [ + "/usr/bin/perl", + "/usr/bin/deb-systemd-invoke", + "stop", + "cmd.service" + ], + "args_count": 4, + "executable": "/usr/bin/deb-systemd-invoke" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.11Z", + "pid": 52216, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE2LTEzMjk2NDkxMTYzLjExMDAwMDAwMA==", + "executable": "/usr/bin/systemctl", + "args": [ + "systemctl", + "stop", + "cmd.service" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "systemctl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "systemctl stop cmd.service", + "hash": { + "sha1": "cea82eefca581ac4029313b72216b470b8ac741e", + "sha256": "443b336e790a96a63a08466e4a35c47382a6380719680ea45726eac96215e622", + "md5": "c4462083c2ee42c852b994a9f8c5ff79" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:25.4477316Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305857, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-10T20:40:25.4477316Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Ukb", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "uVWzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE2LTEzMjk2NDkxMTYzLjExMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.11Z", + "pid": 52216, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE2LTEzMjk2NDkxMTYzLjExMDAwMDAwMA==", + "executable": "/usr/bin/systemctl", + "args": [ + "systemctl", + "stop", + "cmd.service" + ], + "name": "systemctl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "systemctl stop cmd.service", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.14Z", + "pid": 52217, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE3LTEzMjk2NDkxMTYzLjE0MDAwMDAwMA==", + "executable": "/usr/bin/systemctl", + "args": [ + "systemctl", + "stop", + "cmd.service" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "systemctl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "systemctl stop cmd.service", + "hash": { + "sha1": "cea82eefca581ac4029313b72216b470b8ac741e", + "sha256": "443b336e790a96a63a08466e4a35c47382a6380719680ea45726eac96215e622", + "md5": "c4462083c2ee42c852b994a9f8c5ff79" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:46:03.14Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305859, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-08T13:46:03.14Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Ul3", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "ulWzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE2LTEzMjk2NDkxMTYzLjExMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.11Z", + "pid": 52216, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE2LTEzMjk2NDkxMTYzLjExMDAwMDAwMA==", + "executable": "/usr/bin/systemctl", + "args": [ + "systemctl", + "stop", + "cmd.service" + ], + "name": "systemctl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "systemctl stop cmd.service", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "systemctl", + "stop", + "cmd.service" + ], + "args_count": 0, + "executable": "/usr/bin/systemctl" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.14Z", + "pid": 52217, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE3LTEzMjk2NDkxMTYzLjE0MDAwMDAwMA==", + "executable": "/bin/systemd-tty-ask-password-agent", + "args": [ + "/bin/systemd-tty-ask-password-agent", + "--watch" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "systemd-tty-ask-password-agent", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/systemd-tty-ask-password-agent --watch", + "hash": { + "sha1": "16da89959976150cc95ea58b33ebc35c2419ffe6", + "sha256": "a184188e6d947634a98a9667ad4281e556670cbacff7e0beb57c7e9cb69e7a89", + "md5": "3607fd619b6534f4dc5c8ee071ea30e4" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:25.4683301Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305861, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-10T20:40:25.4683301Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Ul6", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "u1Wzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE2LTEzMjk2NDkxMTYzLjExMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.11Z", + "pid": 52216, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE2LTEzMjk2NDkxMTYzLjExMDAwMDAwMA==", + "executable": "/usr/bin/systemctl", + "args": [ + "systemctl", + "stop", + "cmd.service" + ], + "name": "systemctl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "systemctl stop cmd.service", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "systemctl", + "stop", + "cmd.service" + ], + "args_count": 0, + "executable": "/usr/bin/systemctl" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.14Z", + "pid": 52217, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE3LTEzMjk2NDkxMTYzLjE0MDAwMDAwMA==", + "executable": "/bin/systemd-tty-ask-password-agent", + "args": [ + "/bin/systemd-tty-ask-password-agent", + "--watch" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 15, + "name": "systemd-tty-ask-password-agent", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/systemd-tty-ask-password-agent --watch", + "hash": { + "sha1": "16da89959976150cc95ea58b33ebc35c2419ffe6", + "sha256": "a184188e6d947634a98a9667ad4281e556670cbacff7e0beb57c7e9cb69e7a89", + "md5": "3607fd619b6534f4dc5c8ee071ea30e4" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:25.4809715Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305863, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-10T20:40:25.4809715Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2UlC", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "vFWzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.08Z", + "pid": 52210, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "executable": "/var/lib/dpkg/info/cmd.prerm", + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "name": "cmd.prerm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "args_count": 0, + "executable": "/var/lib/dpkg/info/cmd.prerm" + }, + { + "args": [ + "/usr/bin/perl", + "/usr/bin/deb-systemd-invoke", + "stop", + "cmd.service" + ], + "args_count": 4, + "executable": "/usr/bin/deb-systemd-invoke" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.11Z", + "pid": 52216, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjE2LTEzMjk2NDkxMTYzLjExMDAwMDAwMA==", + "executable": "/usr/bin/systemctl", + "args": [ + "systemctl", + "stop", + "cmd.service" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "systemctl", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "systemctl stop cmd.service", + "hash": { + "sha1": "cea82eefca581ac4029313b72216b470b8ac741e", + "sha256": "443b336e790a96a63a08466e4a35c47382a6380719680ea45726eac96215e622", + "md5": "c4462083c2ee42c852b994a9f8c5ff79" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:25.4816667Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305865, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-10T20:40:25.4816667Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2UlD", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "vVWzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg --purge cmd", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "args_count": 0, + "executable": "/usr/bin/dpkg" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:03.08Z", + "pid": 52210, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjEwLTEzMjk2NDkxMTYzLjgwMDAwMDAw", + "executable": "/var/lib/dpkg/info/cmd.prerm", + "args": [ + "/bin/bash", + "/var/lib/dpkg/info/cmd.prerm", + "remove" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "cmd.prerm", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/bash /var/lib/dpkg/info/cmd.prerm remove", + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:25.4826277Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305867, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-10T20:40:25.4826277Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2UlE", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "8VWzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg --purge cmd", + "hash": { + "sha1": "923c23ab063b3102e62977a6cde5cfcf3cf3f5a9", + "sha256": "fc268efd3eeb984a8a82f8eff68583ae0ffe33060d2d59ff07b1b24d5791d559", + "md5": "05979fd688347b3c5af19862d71d801a" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:25.7869067Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305971, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-10T20:40:25.7869067Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Unc", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "8lWzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA3LTEzMjk2NDkxMTYyLjQwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA2LTEzMjk2NDkxMTYyLjM1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.4Z", + "pid": 52207, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA3LTEzMjk2NDkxMTYyLjQwMDAwMDAwMA==", + "executable": "/usr/bin/sh", + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "name": "sh", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "args_count": 0, + "executable": "/usr/bin/sh" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.41Z", + "pid": 52208, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA4LTEzMjk2NDkxMTYyLjQxMDAwMDAwMA==", + "executable": "/usr/lib/needrestart/dpkg-status", + "args": [ + "/bin/sh", + "/usr/lib/needrestart/dpkg-status" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "dpkg-status", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/lib/needrestart/dpkg-status", + "hash": { + "sha1": "0fe299ca0dc229d5d1b10bde1f7d5f5f9423c668", + "sha256": "4ad9f0ab2f8f5eff66c9fbbc2fe9d4588fc820a9dae3f4583f23571656854946", + "md5": "3e3cfb98f92e89c90e99876ce72415b5" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:25.7876858Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305973, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-10T20:40:25.7876858Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Und", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "81Wzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA2LTEzMjk2NDkxMTYyLjM1MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.35Z", + "pid": 52206, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA2LTEzMjk2NDkxMTYyLjM1MDAwMDAwMA==", + "executable": "/usr/bin/sh", + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "name": "sh", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.4Z", + "pid": 52207, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA3LTEzMjk2NDkxMTYyLjQwMDAwMDAwMA==", + "executable": "/usr/bin/sh", + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "sh", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)", + "hash": { + "sha1": "7505998e3f5909ee10b0f639b570383881444afd", + "sha256": "abce6efe522d7e7bd8bdf6ecd82eda581a1514f8dea858d700766dc165a79efb", + "md5": "6f0fd9cced2852bc85a2722750ab7d64" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:25.788219Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305975, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-10T20:40:25.788219Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Une", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "9FWzr4ABxtjWu-ucsDVE", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.34Z", + "pid": 52205, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA1LTEzMjk2NDkxMTYyLjM0MDAwMDAwMA==", + "executable": "/usr/bin/dpkg", + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "name": "dpkg", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dpkg --purge cmd", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "dpkg", + "--purge", + "cmd" + ], + "args_count": 0, + "executable": "/usr/bin/dpkg" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:46:02.35Z", + "pid": 52206, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA2LTEzMjk2NDkxMTYyLjM1MDAwMDAwMA==", + "executable": "/usr/bin/sh", + "args": [ + "sh", + "-c", + "(test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "sh", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sh -c (test -x /usr/lib/needrestart/dpkg-status && /usr/lib/needrestart/dpkg-status || cat > /dev/null)", + "hash": { + "sha1": "7505998e3f5909ee10b0f639b570383881444afd", + "sha256": "abce6efe522d7e7bd8bdf6ecd82eda581a1514f8dea858d700766dc165a79efb", + "md5": "6f0fd9cced2852bc85a2722750ab7d64" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:40:25.7887321Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305977, + "ingested": "2022-05-10T20:40:30Z", + "created": "2022-05-10T20:40:25.7887321Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Unf", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "UlWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:55.46Z", + "pid": 52190, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkwLTEzMjk2NDkxMDk1LjQ2MDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:55.46Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305665, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-08T13:44:55.46Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UCh", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "U1Wyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:55.46Z", + "pid": 52190, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkwLTEzMjk2NDkxMDk1LjQ2MDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 1, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:17.7867897Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305667, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:17.7867897Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2UCj", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "VFWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-10T20:39:17.787694Z", + "pid": 52191, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkxLTEzMjk2Njg4NzU3Ljc4NzY5NDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:17.787694Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305669, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:17.787694Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UCk", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "VVWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-10T20:39:17.787694Z", + "pid": 52191, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkxLTEzMjk2Njg4NzU3Ljc4NzY5NDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 1, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:17.7904206Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305671, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:17.7904206Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2UCo", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "VlWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:57.63Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305673, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-08T13:44:57.63Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UCu", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "V1Wyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:19.9552327Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305675, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:19.9552327Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2UCx", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "WFWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 2, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo su", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:19.9557879Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305677, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:19.9557879Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2UCv", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "WVWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo su", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:19.9802643Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305679, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:19.9802643Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2UDr", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "WlWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo su", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:19.9805039Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305681, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:19.9805039Z", + "kind": "event", + "module": "endpoint", + "action": "gid_change", + "id": "MbEL/BDTBn1bDrQw++++2UDt", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "W1Wyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "daemon", + "id": 1 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "daemon", + "id": 1 + }, + "command_line": "sudo su", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:19.9811229Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305683, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:19.9811229Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2UDv", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "daemon", + "id": 1 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "XFWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo su", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:19.9818964Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305685, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:19.9818964Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2UDy", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "XVWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "daemon", + "id": 1 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "daemon", + "id": 1 + }, + "command_line": "sudo su", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:19.9833673Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305687, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:19.9833673Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2UE1", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "daemon", + "id": 1 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "XlWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo su", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:19.9842533Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305689, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:19.9842533Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2UE4", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "X1Wyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo su", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:19.9868933Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305691, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:19.9868933Z", + "kind": "event", + "module": "endpoint", + "action": "gid_change", + "id": "MbEL/BDTBn1bDrQw++++2UEB", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "YFWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo su", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:19.9880998Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305693, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:19.9880998Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2UED", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "YVWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo su", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:19.9884739Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305695, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:19.9884739Z", + "kind": "event", + "module": "endpoint", + "action": "gid_change", + "id": "MbEL/BDTBn1bDrQw++++2UEF", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "YlWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo su", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:19.9915996Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305697, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:19.9915996Z", + "kind": "event", + "module": "endpoint", + "action": "gid_change", + "id": "MbEL/BDTBn1bDrQw++++2UEM", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "Y1Wyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo su", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:19.9924007Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305699, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:19.9924007Z", + "kind": "event", + "module": "endpoint", + "action": "gid_change", + "id": "MbEL/BDTBn1bDrQw++++2UEQ", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "ZFWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo su", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:19.9959812Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305701, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:19.9959812Z", + "kind": "event", + "module": "endpoint", + "action": "gid_change", + "id": "MbEL/BDTBn1bDrQw++++2UEb", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "ZVWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "sudo su", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:20.0128028Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305703, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:20.0128028Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2UFE", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "ZlWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo su", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:20.01352Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305705, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:20.01352Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2UFH", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "Z1Wyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo su", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:20.0207756Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305707, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:20.0207756Z", + "kind": "event", + "module": "endpoint", + "action": "gid_change", + "id": "MbEL/BDTBn1bDrQw++++2UFT", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "aFWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo su", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.73Z", + "pid": 52193, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo su", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:57.73Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305709, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-08T13:44:57.73Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UFu", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "aVWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo su", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.73Z", + "pid": 52193, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo su", + "hash": { + "sha1": "1abdd67db86ac4a61cd369374b409d20532e6493", + "sha256": "1a0c990b55490d9f0844eb82e11806c3aaa7eb901d5ca6bd56cb337039af66c7", + "md5": "b18ff8646681c8d244d5118197592907" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:20.0608467Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305711, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:20.0608467Z", + "kind": "event", + "module": "endpoint", + "action": "uid_change", + "id": "MbEL/BDTBn1bDrQw++++2UG2", + "category": [ + "process" + ], + "type": [ + "change" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "alWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "sudo su", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "sudo", + "su" + ], + "args_count": 0, + "executable": "/usr/bin/sudo" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.73Z", + "pid": 52193, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "executable": "/usr/bin/su", + "args": [ + "su" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "su", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "su", + "hash": { + "sha1": "8c4fcb67858dc0862f67b53f956e1d601a714bba", + "sha256": "27009f2285d7e7af458d8b7e752a4ebcfc316efeeed8aa87f535c58d5b7335a9", + "md5": "e90d906f2647087d1ac2aa06de77293e" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:20.0641784Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305713, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:20.0641784Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2UG4", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "a1Wyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.73Z", + "pid": 52193, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "executable": "/usr/bin/su", + "args": [ + "su" + ], + "name": "su", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "su", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/usr/bin/su", + "args": [ + "su" + ], + "name": "su", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/usr/bin/su", + "args": [ + "su" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "su", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "su", + "hash": { + "sha1": "8c4fcb67858dc0862f67b53f956e1d601a714bba", + "sha256": "27009f2285d7e7af458d8b7e752a4ebcfc316efeeed8aa87f535c58d5b7335a9", + "md5": "e90d906f2647087d1ac2aa06de77293e" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:57.8Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305715, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-08T13:44:57.8Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UHY", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "bFWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.73Z", + "pid": 52193, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "executable": "/usr/bin/su", + "args": [ + "su" + ], + "name": "su", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "su", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "su" + ], + "args_count": 0, + "executable": "/usr/bin/su" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:20.1265076Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305717, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:20.1265076Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2UHe", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "bVWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.81Z", + "pid": 52195, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk1LTEzMjk2NDkxMDk3LjgxMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:57.81Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305719, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-08T13:44:57.81Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UHr", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "blWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.81Z", + "pid": 52195, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk1LTEzMjk2NDkxMDk3LjgxMDAwMDAwMA==", + "executable": "/usr/bin/groups", + "args": [ + "groups" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "groups", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "groups", + "hash": { + "sha1": "57c250ff52f634e05ada5e104d9ed3776d660cc7", + "sha256": "d9b14ee17f963ab9997154ef929cc2e42d0b5d56d94678b01bed0060bb1d90d2", + "md5": "c9e1747d4fdb38d3d030980456c1500c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:20.1365583Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305721, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:20.1365583Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2UHt", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "b1Wyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.81Z", + "pid": 52195, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk1LTEzMjk2NDkxMDk3LjgxMDAwMDAwMA==", + "executable": "/usr/bin/groups", + "args": [ + "groups" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "groups", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "groups", + "hash": { + "sha1": "57c250ff52f634e05ada5e104d9ed3776d660cc7", + "sha256": "d9b14ee17f963ab9997154ef929cc2e42d0b5d56d94678b01bed0060bb1d90d2", + "md5": "c9e1747d4fdb38d3d030980456c1500c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:20.1410736Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305723, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:20.1410736Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2UI+", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "cFWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.82Z", + "pid": 52196, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk2LTEzMjk2NDkxMDk3LjgyMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:57.82Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305725, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-08T13:44:57.82Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UI1", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "cVWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.82Z", + "pid": 52196, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk2LTEzMjk2NDkxMDk3LjgyMDAwMDAwMA==", + "executable": "/usr/bin/lesspipe", + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "lesspipe", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/bin/lesspipe", + "hash": { + "sha1": "c8e141a2fda720059016219cf355f40e72657226", + "sha256": "d83563af818ef4f78fc3cc95ed9170a9c86c81c00ff73f3a282a9267313c00cb", + "md5": "7e39fdccee5fc42da4452461e0b2fe2d" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:20.1446431Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305727, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:20.1446431Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2UI3", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "clWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk2LTEzMjk2NDkxMDk3LjgyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.82Z", + "pid": 52196, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk2LTEzMjk2NDkxMDk3LjgyMDAwMDAwMA==", + "executable": "/usr/bin/lesspipe", + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "name": "lesspipe", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/bin/lesspipe", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.83Z", + "pid": 52197, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk3LTEzMjk2NDkxMDk3LjgzMDAwMDAwMA==", + "executable": "/usr/bin/lesspipe", + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "lesspipe", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/bin/lesspipe", + "hash": { + "sha1": "c8e141a2fda720059016219cf355f40e72657226", + "sha256": "d83563af818ef4f78fc3cc95ed9170a9c86c81c00ff73f3a282a9267313c00cb", + "md5": "7e39fdccee5fc42da4452461e0b2fe2d" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:57.83Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305729, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-08T13:44:57.83Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UI9", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "c1Wyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk2LTEzMjk2NDkxMDk3LjgyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.82Z", + "pid": 52196, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk2LTEzMjk2NDkxMDk3LjgyMDAwMDAwMA==", + "executable": "/usr/bin/lesspipe", + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "name": "lesspipe", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/bin/lesspipe", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "args_count": 0, + "executable": "/usr/bin/lesspipe" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.83Z", + "pid": 52197, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk3LTEzMjk2NDkxMDk3LjgzMDAwMDAwMA==", + "executable": "/usr/bin/basename", + "args": [ + "basename", + "/usr/bin/lesspipe" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "basename", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "basename /usr/bin/lesspipe", + "hash": { + "sha1": "7d9ae620c87e83d32c386c9f14fef6712b66015f", + "sha256": "e68a585b826a73a8ce53b97294ee032ef32ea2fc0444d4812a3a3ebd6407e6c6", + "md5": "5b7a516879f08529158df61f78eaf6c8" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:20.1482364Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305731, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:20.1482364Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2UIB", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "dFWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk2LTEzMjk2NDkxMDk3LjgyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.82Z", + "pid": 52196, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk2LTEzMjk2NDkxMDk3LjgyMDAwMDAwMA==", + "executable": "/usr/bin/lesspipe", + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "name": "lesspipe", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/bin/lesspipe", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "args_count": 0, + "executable": "/usr/bin/lesspipe" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.83Z", + "pid": 52197, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk3LTEzMjk2NDkxMDk3LjgzMDAwMDAwMA==", + "executable": "/usr/bin/basename", + "args": [ + "basename", + "/usr/bin/lesspipe" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "basename", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "basename /usr/bin/lesspipe", + "hash": { + "sha1": "7d9ae620c87e83d32c386c9f14fef6712b66015f", + "sha256": "e68a585b826a73a8ce53b97294ee032ef32ea2fc0444d4812a3a3ebd6407e6c6", + "md5": "5b7a516879f08529158df61f78eaf6c8" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:20.1509786Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305733, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:20.1509786Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2UIG", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "dVWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk2LTEzMjk2NDkxMDk3LjgyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.82Z", + "pid": 52196, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk2LTEzMjk2NDkxMDk3LjgyMDAwMDAwMA==", + "executable": "/usr/bin/lesspipe", + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "name": "lesspipe", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/bin/lesspipe", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.83Z", + "pid": 52198, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk4LTEzMjk2NDkxMDk3LjgzMDAwMDAwMA==", + "executable": "/usr/bin/lesspipe", + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "lesspipe", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/bin/lesspipe", + "hash": { + "sha1": "c8e141a2fda720059016219cf355f40e72657226", + "sha256": "d83563af818ef4f78fc3cc95ed9170a9c86c81c00ff73f3a282a9267313c00cb", + "md5": "7e39fdccee5fc42da4452461e0b2fe2d" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:57.83Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305735, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-08T13:44:57.83Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UIH", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "dlWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk4LTEzMjk2NDkxMDk3LjgzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk2LTEzMjk2NDkxMDk3LjgyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.83Z", + "pid": 52198, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk4LTEzMjk2NDkxMDk3LjgzMDAwMDAwMA==", + "executable": "/usr/bin/lesspipe", + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "name": "lesspipe", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/bin/lesspipe", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.83Z", + "pid": 52199, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk5LTEzMjk2NDkxMDk3LjgzMDAwMDAwMA==", + "executable": "/usr/bin/lesspipe", + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "lesspipe", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/bin/lesspipe", + "hash": { + "sha1": "c8e141a2fda720059016219cf355f40e72657226", + "sha256": "d83563af818ef4f78fc3cc95ed9170a9c86c81c00ff73f3a282a9267313c00cb", + "md5": "7e39fdccee5fc42da4452461e0b2fe2d" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:57.83Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305737, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-08T13:44:57.83Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UIJ", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "d1Wyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk4LTEzMjk2NDkxMDk3LjgzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk2LTEzMjk2NDkxMDk3LjgyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.83Z", + "pid": 52198, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk4LTEzMjk2NDkxMDk3LjgzMDAwMDAwMA==", + "executable": "/usr/bin/lesspipe", + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "name": "lesspipe", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/bin/lesspipe", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "args_count": 0, + "executable": "/usr/bin/lesspipe" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.83Z", + "pid": 52199, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk5LTEzMjk2NDkxMDk3LjgzMDAwMDAwMA==", + "executable": "/usr/bin/dirname", + "args": [ + "dirname", + "/usr/bin/lesspipe" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dirname", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dirname /usr/bin/lesspipe", + "hash": { + "sha1": "4168981e10cdff533d2fb1f5e62042ff9f90885b", + "sha256": "da721955d589437242d4fa318003040944f0f873fa0979d6ef04f54859abf3bd", + "md5": "d931e16f92c41411c623c0fa44ed863a" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:20.1533296Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305739, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:20.1533296Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2UIL", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "eFWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk4LTEzMjk2NDkxMDk3LjgzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk2LTEzMjk2NDkxMDk3LjgyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.83Z", + "pid": 52198, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk4LTEzMjk2NDkxMDk3LjgzMDAwMDAwMA==", + "executable": "/usr/bin/lesspipe", + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "name": "lesspipe", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/bin/lesspipe", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "args_count": 0, + "executable": "/usr/bin/lesspipe" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.83Z", + "pid": 52199, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk5LTEzMjk2NDkxMDk3LjgzMDAwMDAwMA==", + "executable": "/usr/bin/dirname", + "args": [ + "dirname", + "/usr/bin/lesspipe" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "dirname", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dirname /usr/bin/lesspipe", + "hash": { + "sha1": "4168981e10cdff533d2fb1f5e62042ff9f90885b", + "sha256": "da721955d589437242d4fa318003040944f0f873fa0979d6ef04f54859abf3bd", + "md5": "d931e16f92c41411c623c0fa44ed863a" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:20.1560046Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305741, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:20.1560046Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2UIQ", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "eVWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk2LTEzMjk2NDkxMDk3LjgyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.82Z", + "pid": 52196, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk2LTEzMjk2NDkxMDk3LjgyMDAwMDAwMA==", + "executable": "/usr/bin/lesspipe", + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "name": "lesspipe", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/bin/lesspipe", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.83Z", + "pid": 52198, + "working_directory": "/usr/bin", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk4LTEzMjk2NDkxMDk3LjgzMDAwMDAwMA==", + "executable": "/usr/bin/lesspipe", + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "lesspipe", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/bin/lesspipe", + "hash": { + "sha1": "c8e141a2fda720059016219cf355f40e72657226", + "sha256": "d83563af818ef4f78fc3cc95ed9170a9c86c81c00ff73f3a282a9267313c00cb", + "md5": "7e39fdccee5fc42da4452461e0b2fe2d" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:20.1565282Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305743, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:20.1565282Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2UIS", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "elWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.82Z", + "pid": 52196, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk2LTEzMjk2NDkxMDk3LjgyMDAwMDAwMA==", + "executable": "/usr/bin/lesspipe", + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "lesspipe", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "/bin/sh /usr/bin/lesspipe", + "hash": { + "sha1": "c8e141a2fda720059016219cf355f40e72657226", + "sha256": "d83563af818ef4f78fc3cc95ed9170a9c86c81c00ff73f3a282a9267313c00cb", + "md5": "7e39fdccee5fc42da4452461e0b2fe2d" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:20.1570144Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305745, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:20.1570144Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2UIT", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "e1Wyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.84Z", + "pid": 52200, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjAwLTEzMjk2NDkxMDk3Ljg0MDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:57.84Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305747, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-08T13:44:57.84Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UIU", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "fFWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.84Z", + "pid": 52200, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjAwLTEzMjk2NDkxMDk3Ljg0MDAwMDAwMA==", + "executable": "/usr/bin/dircolors", + "args": [ + "dircolors", + "-b" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dircolors", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dircolors -b", + "hash": { + "sha1": "04cf29f2e04fa4cae48134732e2ed92468a8fc0d", + "sha256": "fa88babbb82377cd09f0bb371f752121e645245d5247ebfc39393a8798abe5c5", + "md5": "c60577bd54ca4b90624de46bd6f3be1a" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:20.1581128Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305749, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:20.1581128Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2UIW", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "fVWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.84Z", + "pid": 52200, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjAwLTEzMjk2NDkxMDk3Ljg0MDAwMDAwMA==", + "executable": "/usr/bin/dircolors", + "args": [ + "dircolors", + "-b" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "dircolors", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "dircolors -b", + "hash": { + "sha1": "04cf29f2e04fa4cae48134732e2ed92468a8fc0d", + "sha256": "fa88babbb82377cd09f0bb371f752121e645245d5247ebfc39393a8798abe5c5", + "md5": "c60577bd54ca4b90624de46bd6f3be1a" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:20.1611731Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305751, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:20.1611731Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2UIc", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "flWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:45:01.35Z", + "pid": 52201, + "working_directory": "/etc", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjAxLTEzMjk2NDkxMTAxLjM1MDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:45:01.35Z", + "pid": 52201, + "working_directory": "/etc", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjAxLTEzMjk2NDkxMTAxLjM1MDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:45:01.35Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305753, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-08T13:45:01.35Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UJR", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "f1Wyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:45:01.35Z", + "pid": 52201, + "working_directory": "/etc", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjAxLTEzMjk2NDkxMTAxLjM1MDAwMDAwMA==", + "executable": "/usr/bin/ls", + "args": [ + "ls", + "--color=auto" + ], + "name": "ls", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:45:01.35Z", + "pid": 52201, + "working_directory": "/etc", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjAxLTEzMjk2NDkxMTAxLjM1MDAwMDAwMA==", + "executable": "/usr/bin/ls", + "args": [ + "ls", + "--color=auto" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "ls", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "ls --color=auto", + "hash": { + "sha1": "07bfe0ceac3cf590357e84235ca640b6373b884f", + "sha256": "4ef89baf437effd684a125da35674dc6147ef2e34b76d11ea0837b543b60352f", + "md5": "6d2b4ff5fd937cd034aa2a2cf203e20f" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:23.6817084Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305755, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:23.6817084Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2UJS", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "gFWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:45:01.35Z", + "pid": 52201, + "working_directory": "/etc", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjAxLTEzMjk2NDkxMTAxLjM1MDAwMDAwMA==", + "executable": "/usr/bin/ls", + "args": [ + "ls", + "--color=auto" + ], + "name": "ls", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:45:01.35Z", + "pid": 52201, + "working_directory": "/etc", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjAxLTEzMjk2NDkxMTAxLjM1MDAwMDAwMA==", + "executable": "/usr/bin/ls", + "args": [ + "ls", + "--color=auto" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "ls", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "ls --color=auto", + "hash": { + "sha1": "07bfe0ceac3cf590357e84235ca640b6373b884f", + "sha256": "4ef89baf437effd684a125da35674dc6147ef2e34b76d11ea0837b543b60352f", + "md5": "6d2b4ff5fd937cd034aa2a2cf203e20f" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:23.6898263Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305757, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:23.6898263Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2UJd", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "gVWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:45:04.15Z", + "pid": 52202, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjAyLTEzMjk2NDkxMTA0LjE1MDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:45:04.15Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305759, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-08T13:45:04.15Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UJq", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "glWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:45:04.15Z", + "pid": 52202, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjAyLTEzMjk2NDkxMTA0LjE1MDAwMDAwMA==", + "executable": "/usr/bin/ls", + "args": [ + "ls", + "--color=auto" + ], + "name": "ls", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:45:04.15Z", + "pid": 52202, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjAyLTEzMjk2NDkxMTA0LjE1MDAwMDAwMA==", + "executable": "/usr/bin/ls", + "args": [ + "ls", + "--color=auto" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "ls", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "ls --color=auto", + "hash": { + "sha1": "07bfe0ceac3cf590357e84235ca640b6373b884f", + "sha256": "4ef89baf437effd684a125da35674dc6147ef2e34b76d11ea0837b543b60352f", + "md5": "6d2b4ff5fd937cd034aa2a2cf203e20f" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:26.4826349Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305761, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:26.4826349Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2UJr", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "g1Wyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:45:04.15Z", + "pid": 52202, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjAyLTEzMjk2NDkxMTA0LjE1MDAwMDAwMA==", + "executable": "/usr/bin/ls", + "args": [ + "ls", + "--color=auto" + ], + "name": "ls", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:45:04.15Z", + "pid": 52202, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjAyLTEzMjk2NDkxMTA0LjE1MDAwMDAwMA==", + "executable": "/usr/bin/ls", + "args": [ + "ls", + "--color=auto" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "ls", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "ls --color=auto", + "hash": { + "sha1": "07bfe0ceac3cf590357e84235ca640b6373b884f", + "sha256": "4ef89baf437effd684a125da35674dc6147ef2e34b76d11ea0837b543b60352f", + "md5": "6d2b4ff5fd937cd034aa2a2cf203e20f" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:26.4869806Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305763, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:26.4869806Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2UK+", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "hFWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:45:05.15Z", + "pid": 52203, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjAzLTEzMjk2NDkxMTA1LjE1MDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:45:05.15Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305765, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-08T13:45:05.15Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UK3", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "hVWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:45:05.15Z", + "pid": 52203, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjAzLTEzMjk2NDkxMTA1LjE1MDAwMDAwMA==", + "executable": "/usr/bin/ls", + "args": [ + "ls", + "--color=auto" + ], + "name": "ls", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:45:05.15Z", + "pid": 52203, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjAzLTEzMjk2NDkxMTA1LjE1MDAwMDAwMA==", + "executable": "/usr/bin/ls", + "args": [ + "ls", + "--color=auto" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "ls", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 2, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "ls --color=auto", + "hash": { + "sha1": "07bfe0ceac3cf590357e84235ca640b6373b884f", + "sha256": "4ef89baf437effd684a125da35674dc6147ef2e34b76d11ea0837b543b60352f", + "md5": "6d2b4ff5fd937cd034aa2a2cf203e20f" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:27.4727534Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305767, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:27.4727534Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2UK4", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "hlWyr4ABxtjWu-ucwDVk", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:45:05.15Z", + "pid": 52203, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjAzLTEzMjk2NDkxMTA1LjE1MDAwMDAwMA==", + "executable": "/usr/bin/ls", + "args": [ + "ls", + "--color=auto" + ], + "name": "ls", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:45:05.15Z", + "pid": 52203, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjAzLTEzMjk2NDkxMTA1LjE1MDAwMDAwMA==", + "executable": "/usr/bin/ls", + "args": [ + "ls", + "--color=auto" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "ls", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "ls --color=auto", + "hash": { + "sha1": "07bfe0ceac3cf590357e84235ca640b6373b884f", + "sha256": "4ef89baf437effd684a125da35674dc6147ef2e34b76d11ea0837b543b60352f", + "md5": "6d2b4ff5fd937cd034aa2a2cf203e20f" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:27.4767624Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305769, + "ingested": "2022-05-10T20:39:29Z", + "created": "2022-05-10T20:39:27.4767624Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2UKD", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "iFWyr4ABxtjWu-uc6TUp", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.63Z", + "pid": 52192, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "executable": "/usr/bin/sudo", + "args": [ + "sudo", + "su" + ], + "name": "sudo", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": false, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:45:06.08Z", + "pid": 52204, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA0LTEzMjk2NDkxMTA2LjgwMDAwMDAw", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:45:06.08Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305771, + "ingested": "2022-05-10T20:39:39Z", + "created": "2022-05-08T13:45:06.08Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2UKI", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "iVWyr4ABxtjWu-uc6TUp", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:45:06.08Z", + "pid": 52204, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA0LTEzMjk2NDkxMTA2LjgwMDAwMDAw", + "executable": "/usr/bin/ls", + "args": [ + "ls", + "--color=auto", + "-la" + ], + "name": "ls", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:45:06.08Z", + "pid": 52204, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA0LTEzMjk2NDkxMTA2LjgwMDAwMDAw", + "executable": "/usr/bin/ls", + "args": [ + "ls", + "--color=auto", + "-la" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "ls", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 3, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "ls --color=auto -la", + "hash": { + "sha1": "07bfe0ceac3cf590357e84235ca640b6373b884f", + "sha256": "4ef89baf437effd684a125da35674dc6147ef2e34b76d11ea0837b543b60352f", + "md5": "6d2b4ff5fd937cd034aa2a2cf203e20f" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:28.4025557Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305773, + "ingested": "2022-05-10T20:39:39Z", + "created": "2022-05-10T20:39:28.4025557Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2UKJ", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "ilWyr4ABxtjWu-uc6TUp", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkzLTEzMjk2NDkxMDk3LjczMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTkyLTEzMjk2NDkxMDk3LjYzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:44:57.8Z", + "pid": 52194, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMTk0LTEzMjk2NDkxMDk3LjgwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 1, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "bash", + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:45:06.08Z", + "pid": 52204, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA0LTEzMjk2NDkxMTA2LjgwMDAwMDAw", + "executable": "/usr/bin/ls", + "args": [ + "ls", + "--color=auto", + "-la" + ], + "name": "ls", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "root", + "id": 0 + }, + "group": { + "name": "root", + "id": 0 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "root", + "id": 0 + }, + "interactive": true, + "start": "2022-05-08T13:45:06.08Z", + "pid": 52204, + "working_directory": "/etc/cmd", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMjA0LTEzMjk2NDkxMTA2LjgwMDAwMDAw", + "executable": "/usr/bin/ls", + "args": [ + "ls", + "--color=auto", + "-la" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "ls", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "root", + "id": 0 + }, + "args_count": 0, + "user": { + "name": "root", + "id": 0 + }, + "command_line": "ls --color=auto -la", + "hash": { + "sha1": "07bfe0ceac3cf590357e84235ca640b6373b884f", + "sha256": "4ef89baf437effd684a125da35674dc6147ef2e34b76d11ea0837b543b60352f", + "md5": "6d2b4ff5fd937cd034aa2a2cf203e20f" + }, + "group": { + "name": "root", + "id": 0 + } + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:39:28.4223867Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 305775, + "ingested": "2022-05-10T20:39:39Z", + "created": "2022-05-10T20:39:28.4223867Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2UKq", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + }, + "group": { + "Ext": { + "real": { + "name": "root", + "id": 0 + } + }, + "name": "root", + "id": 0 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "KlXqr4ABxtjWu-ucKTk1", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": false, + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "executable": "/usr/sbin/sshd", + "args": [ + "/usr/sbin/sshd", + "-D", + "-R" + ], + "name": "sshd", + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "/usr/sbin/sshd -D -R", + "group": { + "name": "kg", + "id": 1000 + } + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "/usr/sbin/sshd", + "-D", + "-R" + ], + "args_count": 0, + "executable": "/usr/sbin/sshd" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "same_as_process": true, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 1, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T21:39:56.8328008Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 306935, + "ingested": "2022-05-10T21:40:00Z", + "created": "2022-05-10T21:39:56.8328008Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2ZDv", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "-FWxr4ABxtjWu-ucyjKp", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": false, + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "working_directory": "/", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "executable": "/usr/sbin/sshd", + "args": [ + "/usr/sbin/sshd", + "-D", + "-R" + ], + "name": "sshd", + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "/usr/sbin/sshd -D -R", + "group": { + "name": "kg", + "id": 1000 + } + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": true, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "/usr/sbin/sshd", + "-D", + "-R" + ], + "args_count": 0, + "executable": "/usr/sbin/sshd" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": true, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": true, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:22.4782301Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304479, + "ingested": "2022-05-10T20:38:26Z", + "created": "2022-05-10T20:38:22.4782301Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2PwR", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "-VWxr4ABxtjWu-ucyjKp", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.17Z", + "pid": 52058, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU4LTEzMjk2NDkxMDQwLjE3MDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:00.17Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304481, + "ingested": "2022-05-10T20:38:26Z", + "created": "2022-05-08T13:44:00.17Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Pwh", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "-lWxr4ABxtjWu-ucyjKp", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.17Z", + "pid": 52058, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU4LTEzMjk2NDkxMDQwLjE3MDAwMDAwMA==", + "executable": "/usr/bin/locale-check", + "args": [ + "/usr/bin/locale-check", + "C.UTF-8" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "locale-check", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 2, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "/usr/bin/locale-check C.UTF-8", + "hash": { + "sha1": "56c5c51fb2373bd231f169077f678fc5f9491dce", + "sha256": "64e3cbb7bfec9e8b2ff7c8df28a8ef1f8632c536bece778f36cbed49110c81ca", + "md5": "01be354a5242b9062ebd23a77ad08d07" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:22.4927098Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304483, + "ingested": "2022-05-10T20:38:26Z", + "created": "2022-05-10T20:38:22.4927098Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Pwj", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "-1Wxr4ABxtjWu-ucyjKp", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.17Z", + "pid": 52058, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU4LTEzMjk2NDkxMDQwLjE3MDAwMDAwMA==", + "executable": "/usr/bin/locale-check", + "args": [ + "/usr/bin/locale-check", + "C.UTF-8" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "locale-check", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "/usr/bin/locale-check C.UTF-8", + "hash": { + "sha1": "56c5c51fb2373bd231f169077f678fc5f9491dce", + "sha256": "64e3cbb7bfec9e8b2ff7c8df28a8ef1f8632c536bece778f36cbed49110c81ca", + "md5": "01be354a5242b9062ebd23a77ad08d07" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:22.4949685Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304485, + "ingested": "2022-05-10T20:38:26Z", + "created": "2022-05-10T20:38:22.4949685Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Pwo", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "_FWxr4ABxtjWu-ucyjKp", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.2Z", + "pid": 52059, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU5LTEzMjk2NDkxMDQwLjIwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:00.2Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304487, + "ingested": "2022-05-10T20:38:26Z", + "created": "2022-05-08T13:44:00.2Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2PxE", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "_VWxr4ABxtjWu-ucyjKp", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.2Z", + "pid": 52060, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYwLTEzMjk2NDkxMDQwLjIwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:00.2Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304489, + "ingested": "2022-05-10T20:38:26Z", + "created": "2022-05-08T13:44:00.2Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2PxG", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "_lWxr4ABxtjWu-ucyjKp", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.2Z", + "pid": 52059, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU5LTEzMjk2NDkxMDQwLjIwMDAwMDAwMA==", + "executable": "/usr/bin/locale", + "args": [ + "locale" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "locale", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "locale", + "hash": { + "sha1": "0b5dbc2d0d3bfed240c2c1c4536411a928c02fbd", + "sha256": "4c1dc7fd70ca258add37f57cfc57dbf2dc50bb936881e066dca18678f35a1739", + "md5": "9f166243bd8e4f278e40e90586bcaf38" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:22.5324268Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304491, + "ingested": "2022-05-10T20:38:26Z", + "created": "2022-05-10T20:38:22.5324268Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2PxK", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "_1Wxr4ABxtjWu-ucyjKp", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.2Z", + "pid": 52059, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU5LTEzMjk2NDkxMDQwLjIwMDAwMDAwMA==", + "executable": "/usr/bin/locale", + "args": [ + "locale" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "locale", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "locale", + "hash": { + "sha1": "0b5dbc2d0d3bfed240c2c1c4536411a928c02fbd", + "sha256": "4c1dc7fd70ca258add37f57cfc57dbf2dc50bb936881e066dca18678f35a1739", + "md5": "9f166243bd8e4f278e40e90586bcaf38" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:22.5377122Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304493, + "ingested": "2022-05-10T20:38:26Z", + "created": "2022-05-10T20:38:22.5377122Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2PxS", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "AFWxr4ABxtjWu-ucyjOp", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.2Z", + "pid": 52060, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYwLTEzMjk2NDkxMDQwLjIwMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:22.5383159Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304495, + "ingested": "2022-05-10T20:38:26Z", + "created": "2022-05-10T20:38:22.5383159Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2PxT", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "AVWxr4ABxtjWu-ucyjOp", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.22Z", + "pid": 52061, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYxLTEzMjk2NDkxMDQwLjIyMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:00.22Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304497, + "ingested": "2022-05-10T20:38:26Z", + "created": "2022-05-08T13:44:00.22Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2PxZ", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "AlWxr4ABxtjWu-ucyjOp", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.22Z", + "pid": 52061, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYxLTEzMjk2NDkxMDQwLjIyMDAwMDAwMA==", + "executable": "/usr/bin/lesspipe", + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "lesspipe", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 2, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "/bin/sh /usr/bin/lesspipe", + "hash": { + "sha1": "c8e141a2fda720059016219cf355f40e72657226", + "sha256": "d83563af818ef4f78fc3cc95ed9170a9c86c81c00ff73f3a282a9267313c00cb", + "md5": "7e39fdccee5fc42da4452461e0b2fe2d" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:22.5416514Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304499, + "ingested": "2022-05-10T20:38:26Z", + "created": "2022-05-10T20:38:22.5416514Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Pxb", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "A1Wxr4ABxtjWu-ucyjOp", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYxLTEzMjk2NDkxMDQwLjIyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.22Z", + "pid": 52061, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYxLTEzMjk2NDkxMDQwLjIyMDAwMDAwMA==", + "executable": "/usr/bin/lesspipe", + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "name": "lesspipe", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 2, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "/bin/sh /usr/bin/lesspipe", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.22Z", + "pid": 52062, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYyLTEzMjk2NDkxMDQwLjIyMDAwMDAwMA==", + "executable": "/usr/bin/lesspipe", + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "lesspipe", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "/bin/sh /usr/bin/lesspipe", + "hash": { + "sha1": "c8e141a2fda720059016219cf355f40e72657226", + "sha256": "d83563af818ef4f78fc3cc95ed9170a9c86c81c00ff73f3a282a9267313c00cb", + "md5": "7e39fdccee5fc42da4452461e0b2fe2d" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:00.22Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304501, + "ingested": "2022-05-10T20:38:26Z", + "created": "2022-05-08T13:44:00.22Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Pxh", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "BFWxr4ABxtjWu-ucyjOp", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYxLTEzMjk2NDkxMDQwLjIyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.22Z", + "pid": 52061, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYxLTEzMjk2NDkxMDQwLjIyMDAwMDAwMA==", + "executable": "/usr/bin/lesspipe", + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "name": "lesspipe", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 2, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "/bin/sh /usr/bin/lesspipe", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "args_count": 0, + "executable": "/usr/bin/lesspipe" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.22Z", + "pid": 52062, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYyLTEzMjk2NDkxMDQwLjIyMDAwMDAwMA==", + "executable": "/usr/bin/basename", + "args": [ + "basename", + "/usr/bin/lesspipe" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "basename", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 2, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "basename /usr/bin/lesspipe", + "hash": { + "sha1": "7d9ae620c87e83d32c386c9f14fef6712b66015f", + "sha256": "e68a585b826a73a8ce53b97294ee032ef32ea2fc0444d4812a3a3ebd6407e6c6", + "md5": "5b7a516879f08529158df61f78eaf6c8" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:22.5461119Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304503, + "ingested": "2022-05-10T20:38:26Z", + "created": "2022-05-10T20:38:22.5461119Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Pxj", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "BVWxr4ABxtjWu-ucyjOp", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYxLTEzMjk2NDkxMDQwLjIyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.22Z", + "pid": 52061, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYxLTEzMjk2NDkxMDQwLjIyMDAwMDAwMA==", + "executable": "/usr/bin/lesspipe", + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "name": "lesspipe", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 2, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "/bin/sh /usr/bin/lesspipe", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "args_count": 0, + "executable": "/usr/bin/lesspipe" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.22Z", + "pid": 52062, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYyLTEzMjk2NDkxMDQwLjIyMDAwMDAwMA==", + "executable": "/usr/bin/basename", + "args": [ + "basename", + "/usr/bin/lesspipe" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "basename", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "basename /usr/bin/lesspipe", + "hash": { + "sha1": "7d9ae620c87e83d32c386c9f14fef6712b66015f", + "sha256": "e68a585b826a73a8ce53b97294ee032ef32ea2fc0444d4812a3a3ebd6407e6c6", + "md5": "5b7a516879f08529158df61f78eaf6c8" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:22.5502309Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304505, + "ingested": "2022-05-10T20:38:26Z", + "created": "2022-05-10T20:38:22.5502309Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Pxo", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "BlWxr4ABxtjWu-ucyjOp", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYxLTEzMjk2NDkxMDQwLjIyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.22Z", + "pid": 52061, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYxLTEzMjk2NDkxMDQwLjIyMDAwMDAwMA==", + "executable": "/usr/bin/lesspipe", + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "name": "lesspipe", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 2, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "/bin/sh /usr/bin/lesspipe", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.23Z", + "pid": 52063, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYzLTEzMjk2NDkxMDQwLjIzMDAwMDAwMA==", + "executable": "/usr/bin/lesspipe", + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "lesspipe", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "/bin/sh /usr/bin/lesspipe", + "hash": { + "sha1": "c8e141a2fda720059016219cf355f40e72657226", + "sha256": "d83563af818ef4f78fc3cc95ed9170a9c86c81c00ff73f3a282a9267313c00cb", + "md5": "7e39fdccee5fc42da4452461e0b2fe2d" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:00.23Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304507, + "ingested": "2022-05-10T20:38:26Z", + "created": "2022-05-08T13:44:00.23Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Pxp", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "B1Wxr4ABxtjWu-ucyjOp", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYzLTEzMjk2NDkxMDQwLjIzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYxLTEzMjk2NDkxMDQwLjIyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.23Z", + "pid": 52063, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYzLTEzMjk2NDkxMDQwLjIzMDAwMDAwMA==", + "executable": "/usr/bin/lesspipe", + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "name": "lesspipe", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "/bin/sh /usr/bin/lesspipe", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.23Z", + "pid": 52064, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY0LTEzMjk2NDkxMDQwLjIzMDAwMDAwMA==", + "executable": "/usr/bin/lesspipe", + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "lesspipe", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "/bin/sh /usr/bin/lesspipe", + "hash": { + "sha1": "c8e141a2fda720059016219cf355f40e72657226", + "sha256": "d83563af818ef4f78fc3cc95ed9170a9c86c81c00ff73f3a282a9267313c00cb", + "md5": "7e39fdccee5fc42da4452461e0b2fe2d" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:00.23Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304509, + "ingested": "2022-05-10T20:38:26Z", + "created": "2022-05-08T13:44:00.23Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Pxr", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "CFWxr4ABxtjWu-ucyjOp", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYzLTEzMjk2NDkxMDQwLjIzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYxLTEzMjk2NDkxMDQwLjIyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.23Z", + "pid": 52063, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYzLTEzMjk2NDkxMDQwLjIzMDAwMDAwMA==", + "executable": "/usr/bin/lesspipe", + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "name": "lesspipe", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "/bin/sh /usr/bin/lesspipe", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "args_count": 0, + "executable": "/usr/bin/lesspipe" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.23Z", + "pid": 52064, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY0LTEzMjk2NDkxMDQwLjIzMDAwMDAwMA==", + "executable": "/usr/bin/dirname", + "args": [ + "dirname", + "/usr/bin/lesspipe" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dirname", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 2, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "dirname /usr/bin/lesspipe", + "hash": { + "sha1": "4168981e10cdff533d2fb1f5e62042ff9f90885b", + "sha256": "da721955d589437242d4fa318003040944f0f873fa0979d6ef04f54859abf3bd", + "md5": "d931e16f92c41411c623c0fa44ed863a" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:22.5520107Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304511, + "ingested": "2022-05-10T20:38:26Z", + "created": "2022-05-10T20:38:22.5520107Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Pxt", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "CVWxr4ABxtjWu-ucyjOp", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYzLTEzMjk2NDkxMDQwLjIzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYxLTEzMjk2NDkxMDQwLjIyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.23Z", + "pid": 52063, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYzLTEzMjk2NDkxMDQwLjIzMDAwMDAwMA==", + "executable": "/usr/bin/lesspipe", + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "name": "lesspipe", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "/bin/sh /usr/bin/lesspipe", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "args_count": 0, + "executable": "/usr/bin/lesspipe" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.23Z", + "pid": 52064, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY0LTEzMjk2NDkxMDQwLjIzMDAwMDAwMA==", + "executable": "/usr/bin/dirname", + "args": [ + "dirname", + "/usr/bin/lesspipe" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "dirname", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "dirname /usr/bin/lesspipe", + "hash": { + "sha1": "4168981e10cdff533d2fb1f5e62042ff9f90885b", + "sha256": "da721955d589437242d4fa318003040944f0f873fa0979d6ef04f54859abf3bd", + "md5": "d931e16f92c41411c623c0fa44ed863a" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:22.5543292Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304513, + "ingested": "2022-05-10T20:38:26Z", + "created": "2022-05-10T20:38:22.5543292Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Pxy", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "ClWxr4ABxtjWu-ucyjOp", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYxLTEzMjk2NDkxMDQwLjIyMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.22Z", + "pid": 52061, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYxLTEzMjk2NDkxMDQwLjIyMDAwMDAwMA==", + "executable": "/usr/bin/lesspipe", + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "name": "lesspipe", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 2, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "/bin/sh /usr/bin/lesspipe", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.23Z", + "pid": 52063, + "working_directory": "/usr/bin", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYzLTEzMjk2NDkxMDQwLjIzMDAwMDAwMA==", + "executable": "/usr/bin/lesspipe", + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "lesspipe", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "/bin/sh /usr/bin/lesspipe", + "hash": { + "sha1": "c8e141a2fda720059016219cf355f40e72657226", + "sha256": "d83563af818ef4f78fc3cc95ed9170a9c86c81c00ff73f3a282a9267313c00cb", + "md5": "7e39fdccee5fc42da4452461e0b2fe2d" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:22.5560454Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304515, + "ingested": "2022-05-10T20:38:26Z", + "created": "2022-05-10T20:38:22.5560454Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Py+", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "C1Wxr4ABxtjWu-ucyjOp", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.22Z", + "pid": 52061, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDYxLTEzMjk2NDkxMDQwLjIyMDAwMDAwMA==", + "executable": "/usr/bin/lesspipe", + "args": [ + "/bin/sh", + "/usr/bin/lesspipe" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "lesspipe", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "/bin/sh /usr/bin/lesspipe", + "hash": { + "sha1": "c8e141a2fda720059016219cf355f40e72657226", + "sha256": "d83563af818ef4f78fc3cc95ed9170a9c86c81c00ff73f3a282a9267313c00cb", + "md5": "7e39fdccee5fc42da4452461e0b2fe2d" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:22.5562389Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304517, + "ingested": "2022-05-10T20:38:26Z", + "created": "2022-05-10T20:38:22.5562389Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Py/", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "DFWxr4ABxtjWu-ucyjOp", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.24Z", + "pid": 52065, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY1LTEzMjk2NDkxMDQwLjI0MDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "hash": { + "sha1": "406db817fe7911d5c6f85b8d227d2496708bee3f", + "sha256": "c37f93c73cf2f303f874c094f6f76e47b2421a3da9f0e7e0b98bea8a3d685322", + "md5": "8356b7bfc62a47ec4ab7a1d7fc58b63c" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-08T13:44:00.24Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304519, + "ingested": "2022-05-10T20:38:26Z", + "created": "2022-05-08T13:44:00.24Z", + "kind": "event", + "module": "endpoint", + "action": "fork", + "id": "MbEL/BDTBn1bDrQw++++2Py0", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "DVWxr4ABxtjWu-ucyjOp", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.24Z", + "pid": 52065, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY1LTEzMjk2NDkxMDQwLjI0MDAwMDAwMA==", + "executable": "/usr/bin/dircolors", + "args": [ + "dircolors", + "-b" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "name": "dircolors", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 2, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "dircolors -b", + "hash": { + "sha1": "04cf29f2e04fa4cae48134732e2ed92468a8fc0d", + "sha256": "fa88babbb82377cd09f0bb371f752121e645245d5247ebfc39393a8798abe5c5", + "md5": "c60577bd54ca4b90624de46bd6f3be1a" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:22.5580135Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304521, + "ingested": "2022-05-10T20:38:26Z", + "created": "2022-05-10T20:38:22.5580135Z", + "kind": "event", + "module": "endpoint", + "action": "exec", + "id": "MbEL/BDTBn1bDrQw++++2Py2", + "category": [ + "process" + ], + "type": [ + "start" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } + + { + "type": "doc", + "value": { + "index": "logs-endpoint.events.process", + "id": "DlWxr4ABxtjWu-ucyjOp", + "source": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101", + "type": "endpoint", + "version": "8.3.0-SNAPSHOT" + }, + "process": { + "Ext": { + "ancestry": [ + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxOTgyLTEzMjk2NDkxMDM2LjI3MDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUxMzExLTEzMjk2NDkwNzYxLjkwMDAwMDAwMA==", + "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTEtMTMyOTYyNDg3MjEuMA==" + ] + }, + "parent": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "-bash", + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "group_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "previous": [ + { + "args": [ + "-bash" + ], + "args_count": 0, + "executable": "/bin/bash" + } + ], + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.24Z", + "pid": 52065, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDY1LTEzMjk2NDkxMDQwLjI0MDAwMDAwMA==", + "executable": "/usr/bin/dircolors", + "args": [ + "dircolors", + "-b" + ], + "session_leader": { + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "entry_leader": { + "parent": { + "start": "2022-05-08T13:44:00.06Z", + "pid": 52056, + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU2LTEzMjk2NDkxMDQwLjYwMDAwMDAw" + }, + "real_user": { + "name": "kg", + "id": 1000 + }, + "interactive": true, + "start": "2022-05-08T13:44:00.13Z", + "entry_meta": { + "source": { + "ip": "10.0.2.2" + }, + "type": "sshd" + }, + "pid": 52057, + "working_directory": "/home/kg", + "entity_id": "MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA==", + "executable": "/bin/bash", + "args": [ + "-bash" + ], + "name": "bash", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 1, + "same_as_process": false, + "user": { + "name": "kg", + "id": 1000 + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "exit_code": 0, + "name": "dircolors", + "tty": { + "char_device": { + "major": 136, + "minor": 0 + }, + "type": "char_device" + }, + "real_group": { + "name": "kg", + "id": 1000 + }, + "args_count": 0, + "user": { + "name": "kg", + "id": 1000 + }, + "command_line": "dircolors -b", + "hash": { + "sha1": "04cf29f2e04fa4cae48134732e2ed92468a8fc0d", + "sha256": "fa88babbb82377cd09f0bb371f752121e645245d5247ebfc39393a8798abe5c5", + "md5": "c60577bd54ca4b90624de46bd6f3be1a" + }, + "group": { + "name": "kg", + "id": 1000 + }, + "supplemental_groups": [ + { + "name": "adm", + "id": 4 + }, + { + "name": "cdrom", + "id": 24 + }, + { + "name": "sudo", + "id": 27 + }, + { + "name": "dip", + "id": 30 + }, + { + "name": "plugdev", + "id": 46 + }, + { + "name": "lxd", + "id": 110 + }, + { + "name": "docker", + "id": 118 + } + ] + }, + "message": "Endpoint process event", + "@timestamp": "2022-05-10T20:38:22.5614244Z", + "ecs": { + "version": "1.11.0" + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "endpoint.events.process" + }, + "elastic": { + "agent": { + "id": "01010101-0101-0101-0101-010101010101" + } + }, + "host": { + "hostname": "codecvlt", + "os": { + "Ext": { + "variant": "Ubuntu" + }, + "kernel": "5.13.0-40-generic #45-Ubuntu SMP Tue Mar 29 14:48:14 UTC 2022", + "name": "Linux", + "family": "ubuntu", + "type": "linux", + "version": "21.10", + "platform": "ubuntu", + "full": "Ubuntu 21.10" + }, + "ip": [ + "172.17.0.1", + "127.0.0.1", + "::1", + "10.0.2.15", + "fe80::a00:27ff:fed8:d0c7" + ], + "name": "codecvlt", + "id": "00000000-0000-0000-0000-000000000000", + "mac": [ + "02:42:7e:91:e2:fc", + "08:00:27:d8:d0:c7" + ], + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "auth_metadata_missing", + "sequence": 304523, + "ingested": "2022-05-10T20:38:26Z", + "created": "2022-05-10T20:38:22.5614244Z", + "kind": "event", + "module": "endpoint", + "action": "end", + "id": "MbEL/BDTBn1bDrQw++++2Py8", + "category": [ + "process" + ], + "type": [ + "end" + ], + "dataset": "endpoint.events.process" + }, + "user": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + }, + "group": { + "Ext": { + "real": { + "name": "kg", + "id": 1000 + } + }, + "name": "kg", + "id": 1000 + } + } + } + } diff --git a/x-pack/test/functional/es_archives/session_view/process_events/mappings.json b/x-pack/test/functional/es_archives/session_view/process_events/mappings.json new file mode 100644 index 0000000000000..52eea9063c057 --- /dev/null +++ b/x-pack/test/functional/es_archives/session_view/process_events/mappings.json @@ -0,0 +1,24 @@ +{ + "type": "index", + "value": { + "index": "logs-endpoint.events.process", + "mappings": { + "properties": { + "message": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "process.entry_leader.entity_id": { + "type": "keyword", + "ignore_above": 256 + } + } + } + } +} + diff --git a/x-pack/test/functional/fixtures/kbn_archiver/reporting/unmapped_fields.json b/x-pack/test/functional/fixtures/kbn_archiver/reporting/unmapped_fields.json new file mode 100644 index 0000000000000..24c9769834250 --- /dev/null +++ b/x-pack/test/functional/fixtures/kbn_archiver/reporting/unmapped_fields.json @@ -0,0 +1,15 @@ +{ + "attributes": { + "fields": "[]", + "title": "recipes" + }, + "coreMigrationVersion": "8.3.0", + "id": "5c620ea0-dc4f-11ec-972a-bf98ce1eebd7", + "migrationVersion": { + "index-pattern": "8.0.0" + }, + "references": [], + "type": "index-pattern", + "updated_at": "2022-05-25T17:23:15.216Z", + "version": "WzE4NywxXQ==" +} diff --git a/x-pack/test/functional/services/ml/overview_page.ts b/x-pack/test/functional/services/ml/overview_page.ts index 5f02edde0f310..9fd536b24e760 100644 --- a/x-pack/test/functional/services/ml/overview_page.ts +++ b/x-pack/test/functional/services/ml/overview_page.ts @@ -78,5 +78,17 @@ export function MachineLearningOverviewPageProvider({ getService }: FtrProviderC async assertJobSyncRequiredWarningNotExists() { await testSubjects.missingOrFail('mlJobSyncRequiredWarning', { timeout: 5000 }); }, + + async assertPageNotFoundBannerExists() { + await testSubjects.existOrFail('mlPageNotFoundBanner', { timeout: 5000 }); + }, + + async assertPageNotFoundBannerText(pathname: string) { + await this.assertPageNotFoundBannerExists(); + const text = await testSubjects.getVisibleText('mlPageNotFoundBannerText'); + expect(text).to.eql( + `The Machine Learning application doesn't recognize this route: /ml/${pathname}. You've been redirected to the Overview page.` + ); + }, }; } diff --git a/x-pack/test/functional/services/observability/alerts/common.ts b/x-pack/test/functional/services/observability/alerts/common.ts index 8b7d15e96cb26..54ce60ddec848 100644 --- a/x-pack/test/functional/services/observability/alerts/common.ts +++ b/x-pack/test/functional/services/observability/alerts/common.ts @@ -52,6 +52,15 @@ export function ObservabilityAlertsCommonProvider({ return await pageObjects.common.navigateToUrlWithBrowserHistory( 'observability', '/alerts/rules', + '', + { ensureCurrentUrl: false } + ); + }; + + const navigateToRuleDetailsByRuleId = async (ruleId: string) => { + return await pageObjects.common.navigateToUrlWithBrowserHistory( + 'observability', + `/alerts/rules/${ruleId}`, '?', { ensureCurrentUrl: false } ); @@ -336,5 +345,6 @@ export function ObservabilityAlertsCommonProvider({ getAlertsFlyoutViewRuleDetailsLinkOrFail, getRuleStatValue, navigateToRulesPage, + navigateToRuleDetailsByRuleId, }; } diff --git a/x-pack/test/functional_synthetics/config.js b/x-pack/test/functional_synthetics/config.js index cf529226de895..932d1c4723951 100644 --- a/x-pack/test/functional_synthetics/config.js +++ b/x-pack/test/functional_synthetics/config.js @@ -17,7 +17,7 @@ import { pageObjects } from './page_objects'; // example: https://beats-ci.elastic.co/blue/organizations/jenkins/Ingest-manager%2Fpackage-storage/detail/snapshot/74/pipeline/257#step-302-log-1. // It should be updated any time there is a new Docker image published for the Snapshot Distribution of the Package Registry that updates Synthetics. export const dockerImage = - 'docker.elastic.co/package-registry/distribution:e1a3906e0c9944ecade05308022ba35eb0ebd00a'; + 'docker.elastic.co/package-registry/distribution:93ffe45d8c4ae11365bc70b1038643121049b9fe'; // the default export of config files must be a config provider // that returns an object with the projects config values diff --git a/x-pack/test/functional_with_es_ssl/apps/triggers_actions_ui/alerts_list.ts b/x-pack/test/functional_with_es_ssl/apps/triggers_actions_ui/alerts_list.ts index 6e6e412ec61a6..b867cc640d5bb 100644 --- a/x-pack/test/functional_with_es_ssl/apps/triggers_actions_ui/alerts_list.ts +++ b/x-pack/test/functional_with_es_ssl/apps/triggers_actions_ui/alerts_list.ts @@ -729,5 +729,28 @@ export default ({ getPageObjects, getService }: FtrProviderContext) => { await find.waitForDeletedByCssSelector('.euiBasicTable-loading'); await assertRulesLength(2); }); + + it('should not prevent rules with action execution capabilities from being edited', async () => { + const action = await createAction({ supertest, objectRemover }); + await createAlert({ + supertest, + objectRemover, + overwrites: { + actions: [ + { + id: action.id, + group: 'default', + params: { level: 'info', message: 'gfghfhg' }, + }, + ], + }, + }); + await refreshAlertsList(); + await retry.try(async () => { + const actionButton = await testSubjects.find('selectActionButton'); + const disabled = await actionButton.getAttribute('disabled'); + expect(disabled).to.equal(null); + }); + }); }); }; diff --git a/x-pack/test/kubernetes_security/basic/config.ts b/x-pack/test/kubernetes_security/basic/config.ts new file mode 100644 index 0000000000000..d57a65a1e9fd2 --- /dev/null +++ b/x-pack/test/kubernetes_security/basic/config.ts @@ -0,0 +1,15 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { createTestConfig } from '../common/config'; + +// eslint-disable-next-line import/no-default-export +export default createTestConfig({ + license: 'basic', + name: 'X-Pack kubernetes_security API integration tests (basic)', + testFiles: [require.resolve('./tests')], +}); diff --git a/x-pack/test/kubernetes_security/basic/tests/aggregate.ts b/x-pack/test/kubernetes_security/basic/tests/aggregate.ts new file mode 100644 index 0000000000000..b9d85299d4bc8 --- /dev/null +++ b/x-pack/test/kubernetes_security/basic/tests/aggregate.ts @@ -0,0 +1,99 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import expect from '@kbn/expect'; +import { AGGREGATE_ROUTE } from '@kbn/kubernetes-security-plugin/common/constants'; +import { FtrProviderContext } from '../../common/ftr_provider_context'; +const MOCK_INDEX = 'kubernetes-test-index'; +const ORCHESTRATOR_NAMESPACE_PROPERTY = 'orchestrator.namespace'; +const CONTAINER_IMAGE_NAME_PROPERTY = 'container.image.name'; +const TIMESTAMP_PROPERTY = '@timestamp'; + +// eslint-disable-next-line import/no-default-export +export default function aggregateTests({ getService }: FtrProviderContext) { + const supertest = getService('supertest'); + const esArchiver = getService('esArchiver'); + const namespaces = ['namespace', 'namespace02', 'namespace03', 'namespace04']; + + describe('Kubernetes security with a basic license', () => { + before(async () => { + await esArchiver.load( + 'x-pack/test/functional/es_archives/kubernetes_security/process_events' + ); + }); + + after(async () => { + await esArchiver.unload( + 'x-pack/test/functional/es_archives/kubernetes_security/process_events' + ); + }); + + it(`${AGGREGATE_ROUTE} returns aggregates on process events`, async () => { + const response = await supertest + .get(AGGREGATE_ROUTE) + .set('kbn-xsrf', 'foo') + .query({ + query: JSON.stringify({ match: { [CONTAINER_IMAGE_NAME_PROPERTY]: 'debian11' } }), + groupBy: ORCHESTRATOR_NAMESPACE_PROPERTY, + page: 0, + index: MOCK_INDEX, + }); + expect(response.status).to.be(200); + expect(response.body.length).to.be(10); + + namespaces.forEach((namespace, i) => { + expect(response.body[i].key).to.be(namespace); + }); + }); + + it(`${AGGREGATE_ROUTE} allows pagination`, async () => { + const response = await supertest + .get(AGGREGATE_ROUTE) + .set('kbn-xsrf', 'foo') + .query({ + query: JSON.stringify({ match: { [CONTAINER_IMAGE_NAME_PROPERTY]: 'debian11' } }), + groupBy: ORCHESTRATOR_NAMESPACE_PROPERTY, + page: 1, + index: MOCK_INDEX, + }); + expect(response.status).to.be(200); + expect(response.body.length).to.be(1); + expect(response.body[0].key).to.be('namespace11'); + }); + + it(`${AGGREGATE_ROUTE} allows a range query`, async () => { + const response = await supertest + .get(AGGREGATE_ROUTE) + .set('kbn-xsrf', 'foo') + .query({ + query: JSON.stringify({ + range: { + [TIMESTAMP_PROPERTY]: { + gte: '2020-12-16T15:16:28.570Z', + lte: '2020-12-16T15:16:30.570Z', + }, + }, + }), + groupBy: ORCHESTRATOR_NAMESPACE_PROPERTY, + page: 0, + index: MOCK_INDEX, + }); + expect(response.status).to.be(200); + expect(response.body.length).to.be(3); + }); + + it(`${AGGREGATE_ROUTE} handles a bad request`, async () => { + const response = await supertest.get(AGGREGATE_ROUTE).set('kbn-xsrf', 'foo').query({ + query: 'asdf', + groupBy: ORCHESTRATOR_NAMESPACE_PROPERTY, + page: 0, + index: MOCK_INDEX, + }); + expect(response.status).to.be(400); + }); + }); +} diff --git a/x-pack/test/kubernetes_security/basic/tests/count.ts b/x-pack/test/kubernetes_security/basic/tests/count.ts new file mode 100644 index 0000000000000..3aba6a666a321 --- /dev/null +++ b/x-pack/test/kubernetes_security/basic/tests/count.ts @@ -0,0 +1,82 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import expect from '@kbn/expect'; +import { COUNT_ROUTE } from '@kbn/kubernetes-security-plugin/common/constants'; +import { FtrProviderContext } from '../../common/ftr_provider_context'; + +const MOCK_INDEX = 'kubernetes-test-index'; +const ORCHESTRATOR_NAMESPACE_PROPERTY = 'orchestrator.namespace'; +const CONTAINER_IMAGE_NAME_PROPERTY = 'container.image.name'; +const TIMESTAMP_PROPERTY = '@timestamp'; + +// eslint-disable-next-line import/no-default-export +export default function countTests({ getService }: FtrProviderContext) { + const supertest = getService('supertest'); + const esArchiver = getService('esArchiver'); + + describe('Kubernetes security with a basic license', () => { + before(async () => { + await esArchiver.load( + 'x-pack/test/functional/es_archives/kubernetes_security/process_events' + ); + }); + + after(async () => { + await esArchiver.unload( + 'x-pack/test/functional/es_archives/kubernetes_security/process_events' + ); + }); + + it(`${COUNT_ROUTE} returns cardinality of a field`, async () => { + const response = await supertest + .get(COUNT_ROUTE) + .set('kbn-xsrf', 'foo') + .query({ + query: JSON.stringify({ match: { [CONTAINER_IMAGE_NAME_PROPERTY]: 'debian11' } }), + field: ORCHESTRATOR_NAMESPACE_PROPERTY, + index: MOCK_INDEX, + }); + expect(response.status).to.be(200); + expect(response.body).to.be(11); + }); + + it(`${COUNT_ROUTE} allows a range query`, async () => { + const response = await supertest + .get(COUNT_ROUTE) + .set('kbn-xsrf', 'foo') + .query({ + query: JSON.stringify({ + range: { + [TIMESTAMP_PROPERTY]: { + gte: '2020-12-16T15:16:28.570Z', + lte: '2020-12-16T15:16:30.570Z', + }, + }, + }), + field: ORCHESTRATOR_NAMESPACE_PROPERTY, + index: MOCK_INDEX, + }); + expect(response.status).to.be(200); + expect(response.body).to.be(3); + }); + + it(`${COUNT_ROUTE} handles a bad query`, async () => { + const response = await supertest + .get(COUNT_ROUTE) + .set('kbn-xsrf', 'foo') + .query({ + query: JSON.stringify({ + range: 'asdf', + }), + field: ORCHESTRATOR_NAMESPACE_PROPERTY, + index: MOCK_INDEX, + }); + expect(response.status).to.be(400); + }); + }); +} diff --git a/x-pack/test/kubernetes_security/basic/tests/index.ts b/x-pack/test/kubernetes_security/basic/tests/index.ts new file mode 100644 index 0000000000000..ba29e4d79b3fd --- /dev/null +++ b/x-pack/test/kubernetes_security/basic/tests/index.ts @@ -0,0 +1,18 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { FtrProviderContext } from '../../common/ftr_provider_context'; + +// eslint-disable-next-line import/no-default-export +export default function kubernetesSecurityApiIntegrationTests({ + loadTestFile, +}: FtrProviderContext) { + describe('Kubernetes security API (basic)', function () { + loadTestFile(require.resolve('./aggregate')); + loadTestFile(require.resolve('./count')); + }); +} diff --git a/x-pack/test/kubernetes_security/common/config.ts b/x-pack/test/kubernetes_security/common/config.ts new file mode 100644 index 0000000000000..83249182084f3 --- /dev/null +++ b/x-pack/test/kubernetes_security/common/config.ts @@ -0,0 +1,39 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { FtrConfigProviderContext } from '@kbn/test'; + +interface Settings { + license: 'basic' | 'trial'; + testFiles: string[]; + name: string; +} + +export function createTestConfig(settings: Settings) { + const { testFiles, license, name } = settings; + + return async ({ readConfigFile }: FtrConfigProviderContext) => { + const xPackAPITestsConfig = await readConfigFile( + require.resolve('../../api_integration/config.ts') + ); + + return { + testFiles, + servers: xPackAPITestsConfig.get('servers'), + services: xPackAPITestsConfig.get('services'), + junit: { + reportName: name, + }, + + esTestCluster: { + ...xPackAPITestsConfig.get('esTestCluster'), + license, + }, + kbnTestServer: xPackAPITestsConfig.get('kbnTestServer'), + }; + }; +} diff --git a/x-pack/test/kubernetes_security/common/ftr_provider_context.ts b/x-pack/test/kubernetes_security/common/ftr_provider_context.ts new file mode 100644 index 0000000000000..2ea45b854eb28 --- /dev/null +++ b/x-pack/test/kubernetes_security/common/ftr_provider_context.ts @@ -0,0 +1,8 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export type { FtrProviderContext } from '../../api_integration/ftr_provider_context'; diff --git a/x-pack/test/observability_functional/apps/observability/index.ts b/x-pack/test/observability_functional/apps/observability/index.ts index ec1f2e089e732..bd0d822e6234e 100644 --- a/x-pack/test/observability_functional/apps/observability/index.ts +++ b/x-pack/test/observability_functional/apps/observability/index.ts @@ -9,16 +9,17 @@ import { FtrProviderContext } from '../../ftr_provider_context'; export default function ({ loadTestFile }: FtrProviderContext) { describe('ObservabilityApp', function () { - loadTestFile(require.resolve('./alerts')); - loadTestFile(require.resolve('./alerts/add_to_case')); - loadTestFile(require.resolve('./alerts/alert_disclaimer')); - loadTestFile(require.resolve('./alerts/alert_status')); - loadTestFile(require.resolve('./alerts/pagination')); - loadTestFile(require.resolve('./alerts/rule_stats')); - loadTestFile(require.resolve('./alerts/state_synchronization')); - loadTestFile(require.resolve('./alerts/table_storage')); + loadTestFile(require.resolve('./pages/alerts')); + loadTestFile(require.resolve('./pages/alerts/add_to_case')); + loadTestFile(require.resolve('./pages/alerts/alert_disclaimer')); + loadTestFile(require.resolve('./pages/alerts/alert_status')); + loadTestFile(require.resolve('./pages/alerts/pagination')); + loadTestFile(require.resolve('./pages/alerts/rule_stats')); + loadTestFile(require.resolve('./pages/alerts/state_synchronization')); + loadTestFile(require.resolve('./pages/alerts/table_storage')); loadTestFile(require.resolve('./exploratory_view')); loadTestFile(require.resolve('./feature_controls')); - loadTestFile(require.resolve('./alerts/rules_page')); + loadTestFile(require.resolve('./pages/rules_page')); + loadTestFile(require.resolve('./pages/rule_details_page')); }); } diff --git a/x-pack/test/observability_functional/apps/observability/alerts/add_to_case.ts b/x-pack/test/observability_functional/apps/observability/pages/alerts/add_to_case.ts similarity index 97% rename from x-pack/test/observability_functional/apps/observability/alerts/add_to_case.ts rename to x-pack/test/observability_functional/apps/observability/pages/alerts/add_to_case.ts index 5e80a5769b44d..918133ca53dfc 100644 --- a/x-pack/test/observability_functional/apps/observability/alerts/add_to_case.ts +++ b/x-pack/test/observability_functional/apps/observability/pages/alerts/add_to_case.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { FtrProviderContext } from '../../../ftr_provider_context'; +import { FtrProviderContext } from '../../../../ftr_provider_context'; export default ({ getService, getPageObjects }: FtrProviderContext) => { const esArchiver = getService('esArchiver'); diff --git a/x-pack/test/observability_functional/apps/observability/alerts/alert_disclaimer.ts b/x-pack/test/observability_functional/apps/observability/pages/alerts/alert_disclaimer.ts similarity index 95% rename from x-pack/test/observability_functional/apps/observability/alerts/alert_disclaimer.ts rename to x-pack/test/observability_functional/apps/observability/pages/alerts/alert_disclaimer.ts index d63739da47d5b..b54f36e020183 100644 --- a/x-pack/test/observability_functional/apps/observability/alerts/alert_disclaimer.ts +++ b/x-pack/test/observability_functional/apps/observability/pages/alerts/alert_disclaimer.ts @@ -7,7 +7,7 @@ import expect from '@kbn/expect'; -import { FtrProviderContext } from '../../../ftr_provider_context'; +import { FtrProviderContext } from '../../../../ftr_provider_context'; export default ({ getService, getPageObject }: FtrProviderContext) => { describe('Observability alert experimental disclaimer', function () { diff --git a/x-pack/test/observability_functional/apps/observability/alerts/alert_status.ts b/x-pack/test/observability_functional/apps/observability/pages/alerts/alert_status.ts similarity index 97% rename from x-pack/test/observability_functional/apps/observability/alerts/alert_status.ts rename to x-pack/test/observability_functional/apps/observability/pages/alerts/alert_status.ts index c7514962c84f7..5e70382418f23 100644 --- a/x-pack/test/observability_functional/apps/observability/alerts/alert_status.ts +++ b/x-pack/test/observability_functional/apps/observability/pages/alerts/alert_status.ts @@ -7,7 +7,7 @@ import expect from '@kbn/expect'; import { ALERT_STATUS_RECOVERED, ALERT_STATUS_ACTIVE } from '@kbn/rule-data-utils'; -import { FtrProviderContext } from '../../../ftr_provider_context'; +import { FtrProviderContext } from '../../../../ftr_provider_context'; const ALL_ALERTS = 40; const ACTIVE_ALERTS = 10; diff --git a/x-pack/test/observability_functional/apps/observability/alerts/index.ts b/x-pack/test/observability_functional/apps/observability/pages/alerts/index.ts similarity index 98% rename from x-pack/test/observability_functional/apps/observability/alerts/index.ts rename to x-pack/test/observability_functional/apps/observability/pages/alerts/index.ts index 5afdb0b00c774..8fb90ccc9338c 100644 --- a/x-pack/test/observability_functional/apps/observability/alerts/index.ts +++ b/x-pack/test/observability_functional/apps/observability/pages/alerts/index.ts @@ -6,8 +6,8 @@ */ import expect from '@kbn/expect'; -import { FtrProviderContext } from '../../../ftr_provider_context'; -import { asyncForEach } from '../helpers'; +import { FtrProviderContext } from '../../../../ftr_provider_context'; +import { asyncForEach } from '../../helpers'; const ACTIVE_ALERTS_CELL_COUNT = 78; const RECOVERED_ALERTS_CELL_COUNT = 180; diff --git a/x-pack/test/observability_functional/apps/observability/alerts/pagination.ts b/x-pack/test/observability_functional/apps/observability/pages/alerts/pagination.ts similarity index 98% rename from x-pack/test/observability_functional/apps/observability/alerts/pagination.ts rename to x-pack/test/observability_functional/apps/observability/pages/alerts/pagination.ts index cffbfb6f4227c..0c1c63ea66acb 100644 --- a/x-pack/test/observability_functional/apps/observability/alerts/pagination.ts +++ b/x-pack/test/observability_functional/apps/observability/pages/alerts/pagination.ts @@ -7,7 +7,7 @@ import expect from '@kbn/expect'; import { ALERT_STATUS_ACTIVE } from '@kbn/rule-data-utils'; -import { FtrProviderContext } from '../../../ftr_provider_context'; +import { FtrProviderContext } from '../../../../ftr_provider_context'; const ROWS_NEEDED_FOR_PAGINATION = 10; const DEFAULT_ROWS_PER_PAGE = 50; diff --git a/x-pack/test/observability_functional/apps/observability/alerts/rule_stats.ts b/x-pack/test/observability_functional/apps/observability/pages/alerts/rule_stats.ts similarity index 89% rename from x-pack/test/observability_functional/apps/observability/alerts/rule_stats.ts rename to x-pack/test/observability_functional/apps/observability/pages/alerts/rule_stats.ts index 6dabf813f1d56..443e0616cabe2 100644 --- a/x-pack/test/observability_functional/apps/observability/alerts/rule_stats.ts +++ b/x-pack/test/observability_functional/apps/observability/pages/alerts/rule_stats.ts @@ -6,15 +6,15 @@ */ import expect from '@kbn/expect'; -import { FtrProviderContext } from '../../../ftr_provider_context'; -import { ObjectRemover } from '../../../../functional_with_es_ssl/lib/object_remover'; +import { FtrProviderContext } from '../../../../ftr_provider_context'; +import { ObjectRemover } from '../../../../../functional_with_es_ssl/lib/object_remover'; import { createAlert as createRule, disableAlert as disableRule, muteAlert as muteRule, -} from '../../../../functional_with_es_ssl/lib/alert_api_actions'; -import { generateUniqueKey } from '../../../../functional_with_es_ssl/lib/get_test_data'; -import { asyncForEach } from '../helpers'; +} from '../../../../../functional_with_es_ssl/lib/alert_api_actions'; +import { generateUniqueKey } from '../../../../../functional_with_es_ssl/lib/get_test_data'; +import { asyncForEach } from '../../helpers'; export default ({ getService }: FtrProviderContext) => { const esArchiver = getService('esArchiver'); diff --git a/x-pack/test/observability_functional/apps/observability/alerts/state_synchronization.ts b/x-pack/test/observability_functional/apps/observability/pages/alerts/state_synchronization.ts similarity index 98% rename from x-pack/test/observability_functional/apps/observability/alerts/state_synchronization.ts rename to x-pack/test/observability_functional/apps/observability/pages/alerts/state_synchronization.ts index 1860197b43e5b..fe9751dc9c738 100644 --- a/x-pack/test/observability_functional/apps/observability/alerts/state_synchronization.ts +++ b/x-pack/test/observability_functional/apps/observability/pages/alerts/state_synchronization.ts @@ -6,7 +6,7 @@ */ import expect from '@kbn/expect'; -import { FtrProviderContext } from '../../../ftr_provider_context'; +import { FtrProviderContext } from '../../../../ftr_provider_context'; export default ({ getPageObjects, getService }: FtrProviderContext) => { const esArchiver = getService('esArchiver'); diff --git a/x-pack/test/observability_functional/apps/observability/alerts/table_storage.ts b/x-pack/test/observability_functional/apps/observability/pages/alerts/table_storage.ts similarity index 97% rename from x-pack/test/observability_functional/apps/observability/alerts/table_storage.ts rename to x-pack/test/observability_functional/apps/observability/pages/alerts/table_storage.ts index 649465f6a0173..4a8c90abb2ce7 100644 --- a/x-pack/test/observability_functional/apps/observability/alerts/table_storage.ts +++ b/x-pack/test/observability_functional/apps/observability/pages/alerts/table_storage.ts @@ -7,7 +7,7 @@ import expect from '@kbn/expect'; -import { FtrProviderContext } from '../../../ftr_provider_context'; +import { FtrProviderContext } from '../../../../ftr_provider_context'; export default ({ getService, getPageObject }: FtrProviderContext) => { describe('Observability alert table state storage', function () { diff --git a/x-pack/test/observability_functional/apps/observability/pages/rule_details_page.ts b/x-pack/test/observability_functional/apps/observability/pages/rule_details_page.ts new file mode 100644 index 0000000000000..7bef4578142e4 --- /dev/null +++ b/x-pack/test/observability_functional/apps/observability/pages/rule_details_page.ts @@ -0,0 +1,168 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import expect from '@kbn/expect'; +import { FtrProviderContext } from '../../../ftr_provider_context'; + +export default ({ getService }: FtrProviderContext) => { + const testSubjects = getService('testSubjects'); + const observability = getService('observability'); + const supertest = getService('supertest'); + const find = getService('find'); + const retry = getService('retry'); + const RULE_ENDPOINT = '/api/alerting/rule'; + + async function createRule(rule: any): Promise { + const ruleResponse = await supertest.post(RULE_ENDPOINT).set('kbn-xsrf', 'foo').send(rule); + expect(ruleResponse.status).to.eql(200); + return ruleResponse.body.id; + } + async function deleteRuleById(ruleId: string) { + const ruleResponse = await supertest + .delete(`${RULE_ENDPOINT}/${ruleId}`) + .set('kbn-xsrf', 'foo'); + expect(ruleResponse.status).to.eql(204); + return true; + } + + describe('Observability Rule Details page', function () { + this.tags('includeFirefox'); + + let uptimeRuleId: string; + const uptimeRuleName = 'uptime'; + + let logThresholdRuleId: string; + const logThresholdRuleName = 'error-log'; + + before(async () => { + await observability.users.restoreDefaultTestUserRole(); + const uptimeRule = { + params: { + search: '', + numTimes: 5, + timerangeUnit: 'm', + timerangeCount: 15, + shouldCheckStatus: true, + shouldCheckAvailability: true, + availability: { range: 30, rangeUnit: 'd', threshold: '99' }, + }, + consumer: 'alerts', + schedule: { interval: '1m' }, + tags: [], + name: uptimeRuleName, + rule_type_id: 'xpack.uptime.alerts.monitorStatus', + notify_when: 'onActionGroupChange', + actions: [], + }; + const logThresholdRule = { + params: { + timeSize: 5, + timeUnit: 'm', + count: { value: 75, comparator: 'more than' }, + criteria: [{ field: 'log.level', comparator: 'equals', value: 'error' }], + }, + consumer: 'alerts', + schedule: { interval: '1m' }, + tags: [], + name: logThresholdRuleName, + rule_type_id: 'logs.alert.document.count', + notify_when: 'onActionGroupChange', + actions: [], + }; + uptimeRuleId = await createRule(uptimeRule); + logThresholdRuleId = await createRule(logThresholdRule); + }); + after(async () => { + await deleteRuleById(uptimeRuleId); + await deleteRuleById(logThresholdRuleId); + }); + + describe('Navigate to the new Rule Details page', () => { + it('should navigate to the new rule details page by clicking on the rule from the rules table', async () => { + await observability.alerts.common.navigateToRulesPage(); + await retry.waitFor( + 'Rules table to be visible', + async () => await testSubjects.exists('rulesList') + ); + await find.clickByLinkText(logThresholdRuleName); + await retry.waitFor( + 'Rule details to be visible', + async () => await testSubjects.exists('ruleDetails') + ); + }); + + it('should navigate to the new rule details page by URL', async () => { + await observability.alerts.common.navigateToRuleDetailsByRuleId(uptimeRuleId); + await retry.waitFor( + 'Rule details to be visible', + async () => await testSubjects.exists('ruleDetails') + ); + }); + }); + + describe('Page components', () => { + before(async () => { + await observability.alerts.common.navigateToRuleDetailsByRuleId(logThresholdRuleId); + }); + it('show the rule name as the page title', async () => { + await retry.waitFor( + 'Rule name to be visible', + async () => await testSubjects.exists('ruleName') + ); + const ruleName = await testSubjects.getVisibleText('ruleName'); + expect(ruleName).to.be(logThresholdRuleName); + }); + + it('shows the rule status section in the rule summary', async () => { + await testSubjects.existOrFail('ruleSummaryRuleStatus'); + }); + + it('shows the rule definition section in the rule summary', async () => { + await testSubjects.existOrFail('ruleSummaryRuleDefinition'); + }); + + it('maps correctly the rule type with the human readable rule type', async () => { + const ruleType = await testSubjects.getVisibleText('ruleSummaryRuleType'); + expect(ruleType).to.be('Log threshold'); + }); + }); + + describe('User permissions', () => { + before(async () => { + await observability.alerts.common.navigateToRuleDetailsByRuleId(logThresholdRuleId); + }); + it('should show the more (...) button if user has permissions', async () => { + await retry.waitFor( + 'More button to be visible', + async () => await testSubjects.exists('moreButton') + ); + }); + + it('should shows the rule edit and delete button if user has permissions', async () => { + await testSubjects.click('moreButton'); + await testSubjects.existOrFail('editRuleButton'); + await testSubjects.existOrFail('deleteRuleButton'); + }); + + it('should not let user edit/delete the rule if he has no permissions', async () => { + await observability.users.setTestUserRole( + observability.users.defineBasicObservabilityRole({ + logs: ['read'], + }) + ); + await observability.alerts.common.navigateToRuleDetailsByRuleId(logThresholdRuleId); + await testSubjects.missingOrFail('moreButton'); + }); + }); + }); +}; diff --git a/x-pack/test/observability_functional/apps/observability/alerts/rules_page.ts b/x-pack/test/observability_functional/apps/observability/pages/rules_page.ts similarity index 100% rename from x-pack/test/observability_functional/apps/observability/alerts/rules_page.ts rename to x-pack/test/observability_functional/apps/observability/pages/rules_page.ts diff --git a/x-pack/test/plugin_api_integration/test_suites/task_manager/health_route.ts b/x-pack/test/plugin_api_integration/test_suites/task_manager/health_route.ts index 5578ee1ea3f72..1bd158019c6f4 100644 --- a/x-pack/test/plugin_api_integration/test_suites/task_manager/health_route.ts +++ b/x-pack/test/plugin_api_integration/test_suites/task_manager/health_route.ts @@ -225,7 +225,7 @@ export default function ({ getService }: FtrProviderContext) { expect(typeof proposed.avg_required_throughput_per_minute_per_kibana).to.eql('number'); }); - it('should return an estimation of task manager capacity', async () => { + it('should return an estimation of task manager capacity as an array', async () => { const { workload: { value: workload }, } = (await getHealth()).stats; @@ -240,15 +240,6 @@ export default function ({ getService }: FtrProviderContext) { expect(typeof workload.capacity_requirements.per_day).to.eql('number'); expect(Array.isArray(workload.estimated_schedule_density)).to.eql(true); - - // test run with the default poll_interval of 3s and a monitored_aggregated_stats_refresh_rate of 5s, - // so we expect the estimated_schedule_density to span a minute (which means 20 buckets, as 60s / 3s = 20) - // Note: Due to an issue in ES, sometimes it returns 21 buckets for the active time span - // which causes miscalculation of the expected result (22) - expect( - workload.estimated_schedule_density.length === 20 || - workload.estimated_schedule_density.length === 22 - ).to.be(true); }); it('should return the task manager runtime stats', async () => { diff --git a/x-pack/test/reporting_api_integration/reporting_and_security/__snapshots__/generate_csv_discover.snap b/x-pack/test/reporting_api_integration/reporting_and_security/__snapshots__/generate_csv_discover.snap index b20a98a5287dd..928be4d7e85e1 100644 --- a/x-pack/test/reporting_api_integration/reporting_and_security/__snapshots__/generate_csv_discover.snap +++ b/x-pack/test/reporting_api_integration/reporting_and_security/__snapshots__/generate_csv_discover.snap @@ -8,3 +8,24 @@ bwMtOW0BH63Xcmy432HJ,ecommerce,\\"-\\",\\"Men's Clothing, Men's Shoes\\",\\"Men' 5AMtOW0BH63Xcmy432HJ,ecommerce,\\"-\\",\\"Men's Clothing\\",\\"Men's Clothing\\",EUR,Kamal,Kamal,\\"Kamal Salazar\\",\\"Kamal Salazar\\",MALE,39,Salazar,Salazar,\\"(empty)\\",Tuesday,1,\\"kamal@salazar-family.zzz\\",Istanbul,Asia,TR,\\"POINT (29 41)\\",Istanbul,\\"Spherecords, Spritechnologies\\",\\"Spherecords, Spritechnologies\\",\\"Jun 24, 2019 @ 00:00:00.000\\",567736,\\"sold_product_567736_24718, sold_product_567736_24306\\",\\"sold_product_567736_24718, sold_product_567736_24306\\",\\"11.992, 75\\",\\"11.992, 75\\",\\"Men's Clothing, Men's Clothing\\",\\"Men's Clothing, Men's Clothing\\",\\"Dec 13, 2016 @ 00:00:00.000, Dec 13, 2016 @ 00:00:00.000\\",\\"0, 0\\",\\"0, 0\\",\\"Spherecords, Spritechnologies\\",\\"Spherecords, Spritechnologies\\",\\"6.109, 36.75\\",\\"11.992, 75\\",\\"24,718, 24,306\\",\\"Pyjama bottoms - light grey multicolor, Waterproof trousers - scarlet\\",\\"Pyjama bottoms - light grey multicolor, Waterproof trousers - scarlet\\",\\"1, 1\\",\\"ZO0663706637, ZO0620906209\\",\\"0, 0\\",\\"11.992, 75\\",\\"11.992, 75\\",\\"0, 0\\",\\"ZO0663706637, ZO0620906209\\",87,87,2,2,order,kamal " `; + +exports[`Reporting APIs Generate CSV from SearchSource with unmapped fields includes all unmapped fields to the report 1`] = ` +"\\"_id\\",\\"_index\\",\\"_score\\",\\"nested.unmapped\\",text,unmapped +1,recipes,\\"-\\",\\"-\\",text1,unmapped1 +2,recipes,\\"-\\",unmapped2,text2,\\"-\\" +" +`; + +exports[`Reporting APIs Generate CSV from SearchSource with unmapped fields includes an unmapped field to the report 1`] = ` +"\\"_id\\",\\"_index\\",\\"_score\\",text,unmapped +1,recipes,\\"-\\",text1,unmapped1 +2,recipes,\\"-\\",text2,\\"-\\" +" +`; + +exports[`Reporting APIs Generate CSV from SearchSource with unmapped fields includes an unmapped nested field to the report 1`] = ` +"\\"_id\\",\\"_index\\",\\"_score\\",\\"nested.unmapped\\",text +1,recipes,\\"-\\",\\"-\\",text1 +2,recipes,\\"-\\",unmapped2,text2 +" +`; diff --git a/x-pack/test/reporting_api_integration/reporting_and_security/generate_csv_discover.ts b/x-pack/test/reporting_api_integration/reporting_and_security/generate_csv_discover.ts index 0490cddb568d2..d7f9d772f826d 100644 --- a/x-pack/test/reporting_api_integration/reporting_and_security/generate_csv_discover.ts +++ b/x-pack/test/reporting_api_integration/reporting_and_security/generate_csv_discover.ts @@ -12,6 +12,8 @@ import { FtrProviderContext } from '../ftr_provider_context'; // eslint-disable-next-line import/no-default-export export default function ({ getService }: FtrProviderContext) { + const esArchiver = getService('esArchiver'); + const kibanaServer = getService('kibanaServer'); const reportingAPI = getService('reportingAPI'); describe('Generate CSV from SearchSource', () => { @@ -71,5 +73,63 @@ export default function ({ getService }: FtrProviderContext) { await reportingAPI.teardownEcommerce(); await reportingAPI.deleteAllReports(); }); + + describe('with unmapped fields', () => { + before(async () => { + await esArchiver.loadIfNeeded( + 'x-pack/test/functional/es_archives/reporting/unmapped_fields' + ); + await kibanaServer.importExport.load( + 'x-pack/test/functional/fixtures/kbn_archiver/reporting/unmapped_fields.json' + ); + }); + + after(async () => { + await esArchiver.unload('x-pack/test/functional/es_archives/reporting/unmapped_fields'); + await kibanaServer.importExport.unload( + 'x-pack/test/functional/fixtures/kbn_archiver/reporting/unmapped_fields.json' + ); + }); + + async function generateCsvReport(fields: string[]) { + const { text } = await reportingAPI.generateCsv({ + title: 'CSV Report', + browserTimezone: 'UTC', + objectType: 'search', + version: '7.15.0', + searchSource: { + version: true, + query: { query: '', language: 'kuery' }, + index: '5c620ea0-dc4f-11ec-972a-bf98ce1eebd7', + sort: [{ order_date: 'desc' }], + fields: fields.map((field) => ({ field, include_unmapped: 'true' })), + filter: [], + } as SerializedSearchSourceFields, + }); + + const { path } = JSON.parse(text) as { path: string }; + await reportingAPI.waitForJobToFinish(path); + + return reportingAPI.getCompletedJobOutput(path); + } + + it('includes an unmapped field to the report', async () => { + const csvFile = await generateCsvReport(['text', 'unmapped']); + + expectSnapshot(csvFile).toMatch(); + }); + + it('includes an unmapped nested field to the report', async () => { + const csvFile = await generateCsvReport(['text', 'nested.unmapped']); + + expectSnapshot(csvFile).toMatch(); + }); + + it('includes all unmapped fields to the report', async () => { + const csvFile = await generateCsvReport(['*']); + + expectSnapshot(csvFile).toMatch(); + }); + }); }); } diff --git a/x-pack/test/security_solution_endpoint/apps/endpoint/policy_list.ts b/x-pack/test/security_solution_endpoint/apps/endpoint/policy_list.ts index 840c36a558ba0..ea05bc19b6dd1 100644 --- a/x-pack/test/security_solution_endpoint/apps/endpoint/policy_list.ts +++ b/x-pack/test/security_solution_endpoint/apps/endpoint/policy_list.ts @@ -41,7 +41,7 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) { await fleetButton.click(); await testSubjects.existOrFail('createPackagePolicy_pageTitle'); expect(await testSubjects.getVisibleText('createPackagePolicy_pageTitle')).to.equal( - 'Add Endpoint Security integration' + 'Add Endpoint and Cloud Security integration' ); }); it('navigates back to the policy list page', async () => { diff --git a/x-pack/test/session_view/basic/config.ts b/x-pack/test/session_view/basic/config.ts new file mode 100644 index 0000000000000..02131054b0bca --- /dev/null +++ b/x-pack/test/session_view/basic/config.ts @@ -0,0 +1,15 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { createTestConfig } from '../common/config'; + +// eslint-disable-next-line import/no-default-export +export default createTestConfig({ + license: 'basic', + name: 'X-Pack session_view API integration tests (basic)', + testFiles: [require.resolve('./tests')], +}); diff --git a/x-pack/test/session_view/basic/tests/index.ts b/x-pack/test/session_view/basic/tests/index.ts new file mode 100644 index 0000000000000..9c57c2ea015d1 --- /dev/null +++ b/x-pack/test/session_view/basic/tests/index.ts @@ -0,0 +1,114 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { FtrProviderContext } from '../../common/ftr_provider_context'; +import { + createUsersAndRoles, + deleteUsersAndRoles, +} from '../../../rule_registry/common/lib/authentication'; + +import { + superUser, + globalRead, + secOnlyReadSpacesAll, + obsOnlySpacesAll, + noKibanaPrivileges, +} from '../../../rule_registry/common/lib/authentication/users'; + +import { noKibanaPrivileges as noKibanaPrivilegesRole } from '../../../rule_registry/common/lib/authentication/roles'; + +import { Role } from '../../../rule_registry/common/lib/authentication/types'; + +const globalReadRole: Role = { + name: 'global_read', + privileges: { + elasticsearch: { + indices: [ + { + privileges: ['all'], + names: ['logs-*'], + }, + ], + }, + kibana: [ + { + base: ['read'], + spaces: ['*'], + }, + ], + }, +}; + +export const securitySolutionOnlyReadSpacesAll: Role = { + name: 'sec_only_read_spaces_all', + privileges: { + elasticsearch: { + indices: [ + { + privileges: ['all'], + names: ['logs-*'], + }, + ], + }, + kibana: [ + { + feature: { + siem: ['read'], + }, + spaces: ['*'], + }, + ], + }, +}; + +export const observabilityOnlyAllSpacesAll: Role = { + name: 'obs_only_all_spaces_all', + privileges: { + elasticsearch: { + indices: [ + { + privileges: ['all'], + names: ['logs-*'], + }, + ], + }, + kibana: [ + { + feature: { + apm: ['all'], + }, + spaces: ['*'], + }, + ], + }, +}; + +const users = [superUser, globalRead, secOnlyReadSpacesAll, obsOnlySpacesAll, noKibanaPrivileges]; +const roles = [ + globalReadRole, + securitySolutionOnlyReadSpacesAll, + observabilityOnlyAllSpacesAll, + noKibanaPrivilegesRole, +]; + +// eslint-disable-next-line import/no-default-export +export default function kubernetesSecurityApiIntegrationTests({ + loadTestFile, + getService, +}: FtrProviderContext) { + describe('Session View API (basic)', function () { + before(async () => { + await createUsersAndRoles(getService, users, roles); + }); + + after(async () => { + await deleteUsersAndRoles(getService, users, roles); + }); + + loadTestFile(require.resolve('./process_events_route')); + }); +} diff --git a/x-pack/test/session_view/basic/tests/process_events_route.ts b/x-pack/test/session_view/basic/tests/process_events_route.ts new file mode 100644 index 0000000000000..04558df9f3bfb --- /dev/null +++ b/x-pack/test/session_view/basic/tests/process_events_route.ts @@ -0,0 +1,160 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import expect from '@kbn/expect'; +import { + PROCESS_EVENTS_ROUTE, + PROCESS_EVENTS_PER_PAGE, +} from '@kbn/session-view-plugin/common/constants'; +import { FtrProviderContext } from '../../common/ftr_provider_context'; +import { User } from '../../../rule_registry/common/lib/authentication/types'; + +import { + superUser, + globalRead, + secOnlyReadSpacesAll, + obsOnlySpacesAll, + noKibanaPrivileges, +} from '../../../rule_registry/common/lib/authentication/users'; + +const MOCK_SESSION_ENTITY_ID = + 'MDEwMTAxMDEtMDEwMS0wMTAxLTAxMDEtMDEwMTAxMDEwMTAxLTUyMDU3LTEzMjk2NDkxMDQwLjEzMDAwMDAwMA=='; + +interface TestCase { + /** The ID of the alert */ + authorizedUsers: User[]; + /** Unauthorized users */ + unauthorizedUsers: User[]; +} + +// eslint-disable-next-line import/no-default-export +export default function processEventsTests({ getService }: FtrProviderContext) { + const supertest = getService('supertest'); + const supertestWithoutAuth = getService('supertestWithoutAuth'); + const esArchiver = getService('esArchiver'); + + describe(`Session view - ${PROCESS_EVENTS_ROUTE} - with a basic license`, () => { + before(async () => { + await esArchiver.load('x-pack/test/functional/es_archives/session_view/process_events'); + await esArchiver.load('x-pack/test/functional/es_archives/session_view/alerts'); + }); + + after(async () => { + await esArchiver.unload('x-pack/test/functional/es_archives/session_view/process_events'); + await esArchiver.unload('x-pack/test/functional/es_archives/session_view/alerts'); + }); + + it(`${PROCESS_EVENTS_ROUTE} returns a page of process events`, async () => { + const response = await supertest.get(PROCESS_EVENTS_ROUTE).set('kbn-xsrf', 'foo').query({ + sessionEntityId: MOCK_SESSION_ENTITY_ID, + }); + expect(response.status).to.be(200); + expect(response.body.total).to.be(504); + expect(response.body.events.length).to.be(PROCESS_EVENTS_PER_PAGE); + }); + + it(`${PROCESS_EVENTS_ROUTE} returns a page of process events (w alerts) (paging forward)`, async () => { + const response = await supertest.get(PROCESS_EVENTS_ROUTE).set('kbn-xsrf', 'foo').query({ + sessionEntityId: MOCK_SESSION_ENTITY_ID, + cursor: '2022-05-10T20:39:23.6817084Z', // paginating from the timestamp of the first alert. + }); + expect(response.status).to.be(200); + + const alerts = response.body.events.filter( + (event: any) => event._source.event.kind === 'signal' + ); + + expect(alerts.length).to.above(0); + }); + + it(`${PROCESS_EVENTS_ROUTE} returns a page of process events (w alerts) (paging backwards)`, async () => { + const response = await supertest.get(PROCESS_EVENTS_ROUTE).set('kbn-xsrf', 'foo').query({ + sessionEntityId: MOCK_SESSION_ENTITY_ID, + cursor: '2022-05-10T20:39:23.6817084Z', + forward: false, + }); + expect(response.status).to.be(200); + + const alerts = response.body.events.filter( + (event: any) => event._source.event.kind === 'signal' + ); + + expect(alerts.length).to.be(1); // only one since we are starting at the cursor of the first alert in the esarchiver data, and working backwards. + + const events = response.body.events.filter( + (event: any) => event._source.event.kind === 'event' + ); + + expect(events[0]._source['@timestamp']).to.be.below( + events[events.length - 1]._source['@timestamp'] + ); + }); + + function addTests({ authorizedUsers, unauthorizedUsers }: TestCase) { + authorizedUsers.forEach(({ username, password }) => { + it(`${username} should be able to view alerts in session view`, async () => { + const response = await supertestWithoutAuth + .get(`${PROCESS_EVENTS_ROUTE}`) + .auth(username, password) + .set('kbn-xsrf', 'true') + .query({ + sessionEntityId: MOCK_SESSION_ENTITY_ID, + cursor: '2022-05-10T20:39:23.6817084Z', // paginating from the timestamp of the first alert. + }); + expect(response.status).to.be(200); + + const alerts = response.body.events.filter( + (event: any) => event._source.event.kind === 'signal' + ); + + expect(alerts.length).to.above(0); + }); + }); + + unauthorizedUsers.forEach(({ username, password }) => { + it(`${username} should NOT be able to view alerts in session view`, async () => { + const response = await supertestWithoutAuth + .get(`${PROCESS_EVENTS_ROUTE}`) + .auth(username, password) + .set('kbn-xsrf', 'true') + .query({ + sessionEntityId: MOCK_SESSION_ENTITY_ID, + cursor: '2022-05-10T20:39:23.6817084Z', // paginating from the timestamp of the first alert. + }); + expect(response.status).to.be(200); + + if (username === 'no_kibana_privileges') { + expect(response.body.events.length).to.be.equal(0); + } else { + // process events should still load (since logs-* is granted, except for no_kibana_privileges user) + expect(response.body.events.length).to.be.above(0); + } + + const alerts = response.body.events.filter( + (event: any) => event._source.event.kind === 'signal' + ); + + expect(alerts.length).to.be(0); + }); + }); + } + + describe('Session View', () => { + const authorizedInAllSpaces = [superUser, globalRead, secOnlyReadSpacesAll]; + const unauthorized = [ + // these users are not authorized to get alerts for session view + obsOnlySpacesAll, + noKibanaPrivileges, + ]; + + addTests({ + authorizedUsers: [...authorizedInAllSpaces], + unauthorizedUsers: [...unauthorized], + }); + }); + }); +} diff --git a/x-pack/test/session_view/common/config.ts b/x-pack/test/session_view/common/config.ts new file mode 100644 index 0000000000000..83249182084f3 --- /dev/null +++ b/x-pack/test/session_view/common/config.ts @@ -0,0 +1,39 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { FtrConfigProviderContext } from '@kbn/test'; + +interface Settings { + license: 'basic' | 'trial'; + testFiles: string[]; + name: string; +} + +export function createTestConfig(settings: Settings) { + const { testFiles, license, name } = settings; + + return async ({ readConfigFile }: FtrConfigProviderContext) => { + const xPackAPITestsConfig = await readConfigFile( + require.resolve('../../api_integration/config.ts') + ); + + return { + testFiles, + servers: xPackAPITestsConfig.get('servers'), + services: xPackAPITestsConfig.get('services'), + junit: { + reportName: name, + }, + + esTestCluster: { + ...xPackAPITestsConfig.get('esTestCluster'), + license, + }, + kbnTestServer: xPackAPITestsConfig.get('kbnTestServer'), + }; + }; +} diff --git a/x-pack/test/session_view/common/ftr_provider_context.ts b/x-pack/test/session_view/common/ftr_provider_context.ts new file mode 100644 index 0000000000000..2ea45b854eb28 --- /dev/null +++ b/x-pack/test/session_view/common/ftr_provider_context.ts @@ -0,0 +1,8 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export type { FtrProviderContext } from '../../api_integration/ftr_provider_context'; diff --git a/x-pack/test/upgrade/apps/canvas/canvas_smoke_tests.ts b/x-pack/test/upgrade/apps/canvas/canvas_smoke_tests.ts index 7de0e1247f01a..a46a4debe58ac 100644 --- a/x-pack/test/upgrade/apps/canvas/canvas_smoke_tests.ts +++ b/x-pack/test/upgrade/apps/canvas/canvas_smoke_tests.ts @@ -39,14 +39,16 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) { await PageObjects.header.waitUntilLoadingHasFinished(); }); it('renders elements on workpad ' + name + ' page ' + page, async () => { - const currentUrl = await browser.getCurrentUrl(); - const [, hash] = currentUrl.split('#/'); - if (hash.length === 0) { + const browserUrl = await browser.getCurrentUrl(); + const currentUrl = new URL(browserUrl); + const pathname = currentUrl.pathname; + const hash = currentUrl.hash; + if (hash.length === 0 && pathname.replace(/\/$/, '') === basePath + '/app/canvas') { throw new Error('Did not launch canvas sample data for ' + name); } if (name === 'ecommerce') { - if (!currentUrl.includes('page/' + page)) { - await browser.get(currentUrl.replace(/\/[^\/]*$/, '/' + page), false); + if (!browserUrl.includes('page/' + page)) { + await browser.get(browserUrl.replace(/\/[^\/]*$/, '/' + page), false); await PageObjects.header.waitUntilLoadingHasFinished(); } } diff --git a/x-pack/test/upgrade/apps/maps/maps_smoke_tests.ts b/x-pack/test/upgrade/apps/maps/maps_smoke_tests.ts index ecb000d691ab0..334b4ce965905 100644 --- a/x-pack/test/upgrade/apps/maps/maps_smoke_tests.ts +++ b/x-pack/test/upgrade/apps/maps/maps_smoke_tests.ts @@ -123,10 +123,10 @@ export default function ({ }); it('should load layers', async () => { const percentDifference = await screenshot.compareAgainstBaseline( - 'ecommerce_map', + 'upgrade_ecommerce_map', updateBaselines ); - expect(percentDifference.toFixed(3)).to.be.lessThan(0.031); + expect(percentDifference.toFixed(3)).to.be.lessThan(0.05); }); }); describe('space: ' + space + ', name: flights', () => { @@ -147,10 +147,10 @@ export default function ({ }); it('should load saved object and display layers', async () => { const percentDifference = await screenshot.compareAgainstBaseline( - 'flights_map', + 'upgrade_flights_map', updateBaselines ); - expect(percentDifference.toFixed(3)).to.be.lessThan(0.031); + expect(percentDifference.toFixed(3)).to.be.lessThan(0.05); }); }); describe('space: ' + space + ', name: web logs', () => { @@ -172,10 +172,10 @@ export default function ({ }); it('should load saved object and display layers', async () => { const percentDifference = await screenshot.compareAgainstBaseline( - 'web_logs_map', + 'upgrade_web_logs_map', updateBaselines ); - expect(percentDifference.toFixed(3)).to.be.lessThan(0.031); + expect(percentDifference.toFixed(3)).to.be.lessThan(0.05); }); }); }); diff --git a/x-pack/test/upgrade/config.ts b/x-pack/test/upgrade/config.ts index 181abe8ca408f..a41006ed26a81 100644 --- a/x-pack/test/upgrade/config.ts +++ b/x-pack/test/upgrade/config.ts @@ -5,6 +5,8 @@ * 2.0. */ +import { resolve } from 'path'; + import { FtrConfigProviderContext } from '@kbn/test'; import { pageObjects } from '../functional/page_objects'; import { ReportingAPIProvider } from './services/reporting_upgrade_services'; @@ -36,6 +38,10 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) { mapsHelper: MapsHelper, }, + screenshots: { + directory: resolve(__dirname, 'screenshots'), + }, + junit: { reportName: 'Kibana Core Tests', }, diff --git a/x-pack/test/upgrade/screenshots/baseline/upgrade_ecommerce_map.png b/x-pack/test/upgrade/screenshots/baseline/upgrade_ecommerce_map.png new file mode 100644 index 0000000000000..df13f7d563bfe Binary files /dev/null and b/x-pack/test/upgrade/screenshots/baseline/upgrade_ecommerce_map.png differ diff --git a/x-pack/test/upgrade/screenshots/baseline/upgrade_flights_map.png b/x-pack/test/upgrade/screenshots/baseline/upgrade_flights_map.png new file mode 100644 index 0000000000000..320a0940e2461 Binary files /dev/null and b/x-pack/test/upgrade/screenshots/baseline/upgrade_flights_map.png differ diff --git a/x-pack/test/upgrade/screenshots/baseline/upgrade_web_logs_map.png b/x-pack/test/upgrade/screenshots/baseline/upgrade_web_logs_map.png new file mode 100644 index 0000000000000..6cd145da94a67 Binary files /dev/null and b/x-pack/test/upgrade/screenshots/baseline/upgrade_web_logs_map.png differ diff --git a/x-pack/test/upgrade/services/maps_upgrade_services.ts b/x-pack/test/upgrade/services/maps_upgrade_services.ts index 7b80bce7682f0..28eafafc8663a 100644 --- a/x-pack/test/upgrade/services/maps_upgrade_services.ts +++ b/x-pack/test/upgrade/services/maps_upgrade_services.ts @@ -8,10 +8,23 @@ import { FtrProviderContext } from '../ftr_provider_context'; export function MapsHelper({ getPageObjects, getService }: FtrProviderContext) { - const PageObjects = getPageObjects(['maps']); + const PageObjects = getPageObjects(['maps', 'common']); const testSubjects = getService('testSubjects'); + const log = getService('log'); return { + async toggleLayerVisibility(layerName: string) { + log.debug('Inside toggleLayerVisibility'); + await PageObjects.maps.openLayerTocActionsPanel(layerName); + await testSubjects.click('layerVisibilityToggleButton'); + await PageObjects.common.sleep(3000); + const isTooltipOpen = await testSubjects.exists(`layerTocTooltip`, { timeout: 5000 }); + if (isTooltipOpen) { + await testSubjects.click(`layerTocTooltip`); + await PageObjects.common.sleep(1000); + } + }, + // In v8.0, the default base map switched from bright to desaturated. // https://github.com/elastic/kibana/pull/116179 // Maps created before this change will have a base map called "Road map" @@ -26,10 +39,10 @@ export function MapsHelper({ getPageObjects, getService }: FtrProviderContext) { throw new Error('Layer road map not found'); } if (isRoadMapDesaturated) { - await PageObjects.maps.toggleLayerVisibility('Road map - desaturated'); + await this.toggleLayerVisibility('Road map - desaturated'); } if (isRoadMap) { - await PageObjects.maps.toggleLayerVisibility('Road map'); + await this.toggleLayerVisibility('Road map'); } }, diff --git a/yarn.lock b/yarn.lock index dd9f1769f42bb..03c57f300ac26 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2976,6 +2976,10 @@ version "0.0.0" uid "" +"@kbn/config-mocks@link:bazel-bin/packages/kbn-config-mocks": + version "0.0.0" + uid "" + "@kbn/config-schema@link:bazel-bin/packages/kbn-config-schema": version "0.0.0" uid "" @@ -2984,6 +2988,38 @@ version "0.0.0" uid "" +"@kbn/core-base-browser-internal@link:bazel-bin/packages/core/base/core-base-browser-internal": + version "0.0.0" + uid "" + +"@kbn/core-base-common-internal@link:bazel-bin/packages/core/base/core-base-common-internal": + version "0.0.0" + uid "" + +"@kbn/core-base-common@link:bazel-bin/packages/core/base/core-base-common": + version "0.0.0" + uid "" + +"@kbn/core-base-server-internal@link:bazel-bin/packages/core/base/core-base-server-internal": + version "0.0.0" + uid "" + +"@kbn/core-injected-metadata-browser-internal@link:bazel-bin/packages/core/injected-metadata/core-injected-metadata-browser-internal": + version "0.0.0" + uid "" + +"@kbn/core-injected-metadata-browser-mocks@link:bazel-bin/packages/core/injected-metadata/core-injected-metadata-browser-mocks": + version "0.0.0" + uid "" + +"@kbn/core-injected-metadata-browser@link:bazel-bin/packages/core/injected-metadata/core-injected-metadata-browser": + version "0.0.0" + uid "" + +"@kbn/core-injected-metadata-common-internal@link:bazel-bin/packages/core/injected-metadata/core-injected-metadata-common-internal": + version "0.0.0" + uid "" + "@kbn/crypto@link:bazel-bin/packages/kbn-crypto": version "0.0.0" uid "" @@ -5699,12 +5735,12 @@ resolved "https://registry.yarnpkg.com/@types/d3-path/-/d3-path-1.0.7.tgz#a0736fceed688a695f48265a82ff7a3369414b81" integrity sha512-U8dFRG+8WhkLJr2sxZ9Cw/5WeRgBnNqMxGdA1+Z0+ZG6tK0s75OQ4OXnxeyfKuh6E4wQPY8OAKr1+iNDx01BEQ== -"@types/d3-scale@^2.1.1": - version "2.1.1" - resolved "https://registry.yarnpkg.com/@types/d3-scale/-/d3-scale-2.1.1.tgz#405e58771ec6ae7b8f7b4178ee1887620759e8f7" - integrity sha512-kNTkbZQ+N/Ip8oX9PByXfDLoCSaZYm+VUOasbmsa6KD850/ziMdYepg/8kLg2plHzoLANdMqPoYQbvExevLUHg== +"@types/d3-scale@^2.2.6": + version "2.2.6" + resolved "https://registry.yarnpkg.com/@types/d3-scale/-/d3-scale-2.2.6.tgz#28540b4dfc99d978970e873e4138a6bea2ea6ab8" + integrity sha512-CHu34T5bGrJOeuhGxyiz9Xvaa9PlsIaQoOqjDg7zqeGj2x0rwPhGquiy03unigvcMxmvY0hEaAouT0LOFTLpIw== dependencies: - "@types/d3-time" "*" + "@types/d3-time" "^1" "@types/d3-shape@^1.3.1": version "1.3.1" @@ -5718,7 +5754,7 @@ resolved "https://registry.yarnpkg.com/@types/d3-time-format/-/d3-time-format-2.1.1.tgz#dd2c79ec4575f1355484ab6b10407824668eba42" integrity sha512-tJSyXta8ZyJ52wDDHA96JEsvkbL6jl7wowGmuf45+fAkj5Y+SQOnz0N7/H68OWmPshPsAaWMQh+GAws44IzH3g== -"@types/d3-time@*", "@types/d3-time@^1.0.10": +"@types/d3-time@^1", "@types/d3-time@^1.0.10": version "1.0.10" resolved "https://registry.yarnpkg.com/@types/d3-time/-/d3-time-1.0.10.tgz#d338c7feac93a98a32aac875d1100f92c7b61f4f" integrity sha512-aKf62rRQafDQmSiv1NylKhIMmznsjRN+MnXRXTqHoqm0U/UZzVpdrtRnSIfdiLS616OuC1soYeX1dBg2n1u8Xw== @@ -6222,6 +6258,10 @@ version "0.0.0" uid "" +"@types/kbn__config-mocks@link:bazel-bin/packages/kbn-config-mocks/npm_module_types": + version "0.0.0" + uid "" + "@types/kbn__config-schema@link:bazel-bin/packages/kbn-config-schema/npm_module_types": version "0.0.0" uid "" @@ -6230,6 +6270,58 @@ version "0.0.0" uid "" +"@types/kbn__core-base-browser-internal@link:bazel-bin/packages/core/base/core-base-browser-internal/npm_module_types": + version "0.0.0" + uid "" + +"@types/kbn__core-base-browser@link:bazel-bin/packages/core/base/core-base-browser/npm_module_types": + version "0.0.0" + uid "" + +"@types/kbn__core-base-common-internal@link:bazel-bin/packages/core/base/core-base-common-internal/npm_module_types": + version "0.0.0" + uid "" + +"@types/kbn__core-base-common@link:bazel-bin/packages/core/base/core-base-common/npm_module_types": + version "0.0.0" + uid "" + +"@types/kbn__core-base-server-internal@link:bazel-bin/packages/core/base/core-base-server-internal/npm_module_types": + version "0.0.0" + uid "" + +"@types/kbn__core-base-server@link:bazel-bin/packages/core/base/core-base-server/npm_module_types": + version "0.0.0" + uid "" + +"@types/kbn__core-common-internal-base@link:bazel-bin/packages/core/common/internal-base/npm_module_types": + version "0.0.0" + uid "" + +"@types/kbn__core-injected-metadata-browser-internal@link:bazel-bin/packages/core/injected-metadata/core-injected-metadata-browser-internal/npm_module_types": + version "0.0.0" + uid "" + +"@types/kbn__core-injected-metadata-browser-mocks@link:bazel-bin/packages/core/injected-metadata/core-injected-metadata-browser-mocks/npm_module_types": + version "0.0.0" + uid "" + +"@types/kbn__core-injected-metadata-browser@link:bazel-bin/packages/core/injected-metadata/core-injected-metadata-browser/npm_module_types": + version "0.0.0" + uid "" + +"@types/kbn__core-injected-metadata-common-internal@link:bazel-bin/packages/core/injected-metadata/core-injected-metadata-common-internal/npm_module_types": + version "0.0.0" + uid "" + +"@types/kbn__core-public-internal-base@link:bazel-bin/packages/core/public/internal-base/npm_module_types": + version "0.0.0" + uid "" + +"@types/kbn__core-server-internal-base@link:bazel-bin/packages/core/server/internal-base/npm_module_types": + version "0.0.0" + uid "" + "@types/kbn__crypto@link:bazel-bin/packages/kbn-crypto/npm_module_types": version "0.0.0" uid "" @@ -11086,10 +11178,10 @@ core-js@^2.4.0, core-js@^2.5.0, core-js@^2.6.9: resolved "https://registry.yarnpkg.com/core-js/-/core-js-2.6.9.tgz#6b4b214620c834152e179323727fc19741b084f2" integrity sha512-HOpZf6eXmnl7la+cUdMnLvUxKNqLUzJvgIziQ0DiF3JwSImNphIqdGqzj6hIKyX04MmV0poclQ7+wjWvxQyR2A== -core-js@^3.0.4, core-js@^3.22.5, core-js@^3.6.5, core-js@^3.8.2, core-js@^3.8.3: - version "3.22.5" - resolved "https://registry.yarnpkg.com/core-js/-/core-js-3.22.5.tgz#a5f5a58e663d5c0ebb4e680cd7be37536fb2a9cf" - integrity sha512-VP/xYuvJ0MJWRAobcmQ8F2H6Bsn+s7zqAAjFaHGBMc5AQm7zaelhD1LGduFn2EehEcQcU+br6t+fwbpQ5d1ZWA== +core-js@^3.0.4, core-js@^3.22.7, core-js@^3.6.5, core-js@^3.8.2, core-js@^3.8.3: + version "3.22.7" + resolved "https://registry.yarnpkg.com/core-js/-/core-js-3.22.7.tgz#8d6c37f630f6139b8732d10f2c114c3f1d00024f" + integrity sha512-Jt8SReuDKVNZnZEzyEQT5eK6T2RRCXkfTq7Lo09kpm+fHjgGewSbNjV+Wt4yZMhPDdzz2x1ulI5z/w4nxpBseg== core-util-is@1.0.2, core-util-is@^1.0.2, core-util-is@~1.0.0: version "1.0.2" @@ -11908,7 +12000,7 @@ d3-sankey@^0.7.1: d3-collection "1" d3-shape "^1.2.0" -d3-scale@1.0.7, d3-scale@^1.0.5, d3-scale@^1.0.7: +d3-scale@^1.0.5, d3-scale@^1.0.7: version "1.0.7" resolved "https://registry.yarnpkg.com/d3-scale/-/d3-scale-1.0.7.tgz#fa90324b3ea8a776422bd0472afab0b252a0945d" integrity sha512-KvU92czp2/qse5tUfGms6Kjig0AhHOwkzXG0+PqIJB3ke0WUv088AHMZI0OssO9NCkXt4RP8yju9rpH8aGB7Lw== @@ -11921,6 +12013,18 @@ d3-scale@1.0.7, d3-scale@^1.0.5, d3-scale@^1.0.7: d3-time "1" d3-time-format "2" +d3-scale@^2.2.2: + version "2.2.2" + resolved "https://registry.yarnpkg.com/d3-scale/-/d3-scale-2.2.2.tgz#4e880e0b2745acaaddd3ede26a9e908a9e17b81f" + integrity sha512-LbeEvGgIb8UMcAa0EATLNX0lelKWGYDQiPdHj+gLblGVhGLyNbaCn3EvrJf0A3Y/uOOU5aD6MTh5ZFCdEwGiCw== + dependencies: + d3-array "^1.2.0" + d3-collection "1" + d3-format "1" + d3-interpolate "1" + d3-time "1" + d3-time-format "2" + d3-scale@^4.0.2: version "4.0.2" resolved "https://registry.yarnpkg.com/d3-scale/-/d3-scale-4.0.2.tgz#82b38e8e8ff7080764f8dcec77bd4be393689396"